North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: is reverse dns required? (policy question)

  • From: Steven Champeon
  • Date: Wed Dec 01 15:05:09 2004

on Wed, Dec 01, 2004 at 02:41:00PM -0500, [email protected] wrote:
> On Wed, 01 Dec 2004 13:16:49 EST, Steven Champeon said:
> 
> > FWIW, 40% or more of the inbound spam mail here comes from hosts with a
> > generic rDNS naming convention (even after DNSBLs and other obvious
> > forgery checks such as hosts using my domain(s)/IP(s) in HELO/EHLO). We
> > simply quarantine any mail from hosts without rDNS at all, and reject
> > all mail from non-whitelisted generic hosts.
> 
> Any issues with dealing with the distinction between (for instance)
> FOO.generic.BAR.(com|net|org) (where generic is the 3rd level) and
> FOO.generic.BAR.co.uk (where it's a level further down)?  Similarly, do you
> just treat all of *.info or *.biz as a generic swamp?  Any other TLD-related
> issues you've identified in counting up that 40%?

Well, for various reasons I maintain a database of some ~7K or so naming
conventions and run my matches against all of them (using a TLD-based
right-to-left sort, but still, I know it can be done more efficiently).
The practice stems from the days (5/03) when I'd only mapped some 1500 or
so conventions. 

The access.db checks are done right-to-left, too, so 

Connect:dhcp.vt.edu     ERROR:5.7.1:"550 go away, dynamic user"

Wouldn't catch 1.2.3.4.dhcp.vt.edu.example.com anyway.

All of my matches are currently done on the whole rDNS hostname string,
not on a subset, though I'm moving towards a left-anchored subset as it
cuts my live pats down from ~7K to ~3200 or so. (e.g., refusing mail from
hosts with names like ^h[0-f]{8}\. instead of checking all of the pats
that start with h[0-f]{8}). I've got a list of the most common 100 or so
left-anchored pat subsets, and hope to put them into practice here soon.
So I may have more feedback then.

I don't simply treat info/biz as a swamp in practice, no - despite the
fact that they're obviously pretty well flooded and swarming :/

So, no TLD-related issues of the sort you seem interested in.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!