Re: educating rDNS violators

From: Derek Schaible (dschaible_at_cssiinc.com)
Date: 08/25/04

Next message: Steve: "Re: Securing web site with redundancy ?"

Previous message: Jordan Cole (stilist): "Re: Images being pulled in Outlook 2003 even though don't download pictures is set?"
In reply to: token: "Re: educating rDNS violators"
Next in thread: Niek: "Re: educating rDNS violators"
Reply: Niek: "Re: educating rDNS violators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Wed, 25 Aug 2004 07:08:17 -0400

On Mon, 2004-08-23 at 15:17, token wrote:

> However, I'm not sure exactly how this is suppose to stop spam.
> Most implementations I've seen just check to see if a reverse DNS
> entry exists. You can put anything you want in there. Only the
> implementations that check that a reverse DNS record exists and then
> checks that the forward resolves to the same IP seem to do any good.

The way this helps spam reduction is that the vast majority of spam
comes from exploited machines running rogue MTAs or some script kiddie
on their DSL or cable modem. Such hosts will typically not have a valid
rDNS entry. Additionally, if a company is sending legitimate email they
will have no issues with you verifying their hosts in this manner. Many
spam attempts will spoof a name of an smtp server that most people will
allow. Adding rDNS stops this action.

Mail servers should have correct DNS info. Forward and reverse. It is
the sysadmin's responsibility to ensure that their systems are
configured properly. Period.

Of course, there are some companies with correctly configured DNS who
are spam friendly and this tactic will not block them. However, those
companies are few in comparison to the hacked/violated/kiddie machines
that will not have correct DNS info. These spam-friendly systems with
correct DNS info are trivial to black list.

Hope this helps, too!

-- 
Derek Schaible <dschaible@cssiinc.com>
CSSI, Inc.

application/pgp-signature attachment: This is a digitally signed message part

Next message: Steve: "Re: Securing web site with redundancy ?"

Previous message: Jordan Cole (stilist): "Re: Images being pulled in Outlook 2003 even though don't download pictures is set?"
In reply to: token: "Re: educating rDNS violators"
Next in thread: Niek: "Re: educating rDNS violators"
Reply: Niek: "Re: educating rDNS violators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [Full-disclosure] Reverse dns
... Reverse DNS lookups are entirely optional; ... If you believe reverse DNS is a security or performance issue for your ... filter out problem hosts. ...
(Full-Disclosure)
Re: SMTP and Sat ADSL
... Cris Hanna, SBS-MVP ... Secondary DNS: 193.xxx.xxx.20 ... Now I assume I need to get them to give me a Static IP, ideally 217.xxx.xxx.202 and enable reverse DNS on it rather than on the Gateway IP ... Who created those DNS records and on whose server do they reside??? ...
(microsoft.public.backoffice.smallbiz)
Re: Reverse DNS Issue
... > We currently host our own external DNS server with the ... > cannot do a Reverse DNS lookup on our domain. ... etc but can only have ONE PTR record ...
(microsoft.public.win2000.dns)
Re: Cannot send mail out after default installation
... Asked IP owner to add a PTR record to their DNS server (RDNS) ... of your mail serverhave no reverse DNS entries/* (if you see ... It is strongly urged that you have them, as many mailservers will ...
(microsoft.public.windows.server.sbs)
Re: Reverse DNS
... : reporting no reverse DNS? ... Dnsstuff.com has reported the correct reverse dns the whole ... records won't get cached so every query must come from your DNS server. ...
(microsoft.public.win2000.dns)