Re: educating rDNS violators
From: Derek Schaible (dschaible_at_cssiinc.com)
Date: 08/25/04
- Previous message: Erich D. Heintz: "RE: unable to join domain from dmz"
- Maybe in reply to: SMiller_at_unimin.com: "educating rDNS violators"
- Next in thread: David Gillett: "RE: educating rDNS violators"
- Reply: David Gillett: "RE: educating rDNS violators"
- Reply: token: "Re: educating rDNS violators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com Date: Wed, 25 Aug 2004 14:20:25 -0400
On Wed, 2004-08-25 at 13:55, someone wrote:
>
> This becomes even further complicated if a company is hosting with
> somebody who provides "virtual domain" mail hosting. The server could
> be mail.somefamily.net, but have a reverse DNS entry that points to
> mail.myprovider.net. How is that invalid? Just because the records
> don't match doesn't make me a spammer!
> > Mail servers should have correct DNS info. Forward and reverse. It is
> > the sysadmin's responsibility to ensure that their systems are
> > configured properly. Period.
I wanted to respond to this point to the list before I get flooded with
similar replies.
True, such a situation does not make you a spammer but using a virtual
domain will in no way impact the reverse DNS of the smtp server from
which the email is delivered. Reverse DNS is not matching the address of
the smtp server to the domain name in the email address. This would
break many things like reply-to, etc.
All it is doing is verifying that the server is who it claims to be.
Virtual mail domains are not impacted. I run many virtual email domains
as well for every website we host. These accounts can happily send mail
through our company's SMTP server, arrive in tact and survive an rDNS
lookup.
As I've stated earlier, filtering out mail from servers with a bad rDNS
will dramatically reduce your spam and that's a fact to live by. There
is always a means in which you can configure a valid email system that
will pass this test. Some require more imagination than others, but it
can always be done and should always be done if you want to guarantee
that your mail will be delivered and not rejected.
-- Derek Schaible <dschaible@cssiinc.com> CSSI, Inc.
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Erich D. Heintz: "RE: unable to join domain from dmz"
- Maybe in reply to: SMiller_at_unimin.com: "educating rDNS violators"
- Next in thread: David Gillett: "RE: educating rDNS violators"
- Reply: David Gillett: "RE: educating rDNS violators"
- Reply: token: "Re: educating rDNS violators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
