North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)

  • From: Joseph Johnson
  • Date: Thu Jan 13 10:07:15 2005

>> Basically a call to operators to adopt a consistent forward and
>> reverse DNS naming pattern for their mailservers, static IP netblocks,
>> dynamic IP netblocks etc.
>
> ...and to ISPs to facilitate the process by supporting their users who
> want to run mail servers, and helping the rest of us use such techniques
> to quarantine the spew from zombies and less conscientious mail admins.
>
> I'm always willing to be educated on why it is impossible for any given
> ISP to maintain an in-addr.arpa zone with PTRs for their customers who
> wish to be treated like real admins, as opposed to casual consumer-grade
> users with dynamically assigned addresses.


The problem is it is easier to set it up with a single standard
4-3-2-1.dialup.xyzisp.com then to change the IN-ADDR to mail.customer2.com.
I only have an rDNS entry on the box at home because I used to work for the
ISP.  It's still there only because they probably haven't noticed, and will
not until I draw attention to it or I give up the space if I cancel service.

Still, it took me 3 minutes to put rDNS on most of 7 of 16 in my /28.  It
existed in their provisioning system to do it, but no one knew how.  We
couldn't even market it as a service, because it "didn't exist" in the
system.  I can't imagine, though, SBC being able to cope with tens of
thousands of small business DSL accounts suddenly needing rDNS on their
static IP's.

Another question, though, is how they handle IN-ADDR and swip for dedicated
circuits.  If they can do it for a T1 customer, can they do it for a DSL
customer?  Maybe an online form the customer can maintain?  Lord knows that
would be better then trying to call their DSL tech support . . . 


Joe Johnson