Best of the ISP-Lists

General

Let's Block All Stupid Mail

Members of the ISP-Tech list want to block spam but say that lazily configured or poorly configured mail systems have lowered the value of one of the most simple and elegant solutions.

[January 30, 2003]

A rambling discussion about spam and e-mail security on the ISP-Tech list in January heated up when DA said this about reverse DNS:

"Remember that rDNS is optional, and there has been quite serious discussion about removing rDNS from IPV6 altogether."

[PH immediately asked] "Out of curiousity, why? Do you have any google searches or links to discussion threads that say why rDNS would be removed?"

[ed note: here's a useful google search on common uses of reverse DNS in anti-spam systems. At press time, google yielded no information on any proposals to eliminate reverse DNS functionality.]

[DA responded] "Because people wrongly depend on it as a 'security' measure. Numerous security exploits have used the fact that administrators have put trust in the results of a rDNS lookup, and trusted a host that shouldn't have been trusted.

Others assume that rDNS offers some kind of authentication or improved trustworthiness of the user. It doesn't offer any authentication or increased level of trustworthiness. Assuming so is a mistake that often results in harm."

[DB replied] "Security, as with anti-mail abuse, should be implemented in layers. I depend on layers, not one "security" solution. With regards to mail abuse, a mail server lacking reverse DNS, is not RFC 1912 section 2.1 compliant, and an overwhelming amount of spam is relayed or originates from servers without reverse DNS. Therefore, reverse DNS is used as a layer, not a solution, for fighting mail abuse. I insist in putting trust in layers, not one mega-solution."

[DD added] "I once stopped accepting mail from mailservers without reverse DNS and it stopped at least 50 percent of spam by itself. If there weren't so many clueless admins running legitimate mail servers I would still be doing it. It was extremely effective but had too many false positives for use in a residential ISP."

[KW noted] "We've just started trying it and it has proved to be pretty good at blocking spam but it does kill some legitimate e-mail. So far I've had to whitelist a few IPs, but not enough to really bother me enough to stop using reverse DNS."

[JS argued] "I figure if someone has theirs set up wrong it's the price they have to pay for stupidity. If a user complains, I'll have them tell that admin that he can call me for information on how to set up his network correctly."

[TB disagreed] "Okay, those stupid admins should know better than to not have rDNS set up. They should be blocked. Now that is a novel idea, let's block legitimate mail servers because those stupid admins don't have rDNS setup. Oops. Let's not be so hasty. Let's look at arin.net to see who is authoritative for that block of IPs. Oh my, seems their upstream is responsible. So now it's not the admin of the mail server that's the problem. It seems they've actually subnetted that block out in subnets of /27 and they don't want to hassle with the rDNS.

I'm just giving a point of view that I've had to deal with. What do you do when the upsteam's too lazy to even second a rDNS zone that's legit?"

[JS replied] "It's the responsibility of the admin to be aware, and if it's the upstream provider, the upstream needs to be notified and dealt with."

[PH vented] "The more we keep putting up with stupidity and laziness on the part of some of the upstream providers, the more they'll keep trying to get away with, and the worse the Internet will become."

[DA asked] "If anti-spammers go out of control, isn't there a risk that rDNS will become completely useless as even a convenience and will be removed?"

[PH replied] "rDNS works fine when used properly. Getting rid of it because people don't set it up correctly is just dumb. While rDNS certainly isn't at all secure (people can pretty much put anything they want in a PTR record) there is at least some level of authentication by matching it to the forward domain. If the forward domain has an A record that matches the connecting address, then you at least know someone at that domain sanctions that server.

It's better than nothing and it gives you a domain to send abuse reports to and a domain to block if they ignore too many of them. It's also a way to do whitelisting without someone trying to cheat and forge the domain names they know you have whitelisted. If rDNS is eliminated, then we'll have to use some kind of signed crypto certificat-based MTA-to-MTA mail delivery system."

—End