North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Criminals, The Network, and You [Was: Something Else]
Hi All, It seems to me reverse DNS just isn't an acceptable anti-spam measure. Too many broken reverses exist with smaller companies (try getting a 3rd party to fix it). It's not that hard for a bot to figure out a DSL's reverse entry and use that for its HELO. And there are a lot more effective pre-processing anti-spam measures, including greylisting (with its own problems) and reputation-based systems. Best Regards, Jason -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Stephen Satchell Sent: Wednesday, September 12, 2007 9:55 AM To: [email protected] Subject: Re: Criminals, The Network, and You [Was: Something Else] My mail servers return 5xx on NXDOMAIN. If my little shop can spend not too much money for three-9s reliability in the DNS servers, other shops can as well. When I first deployed the system, the overwhelming majority of the rejects were from otherwise known spam locations (looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs). The number of false positives were so small that whitelisting was easy and simple to maintain. If a shop is not multihomed, they can contract with one or more DNS hosts to provide high-availability DNS, particularly for their in-addr.arpa zones. It's not hard. Nor expensive. Paul Ferguson wrote: > Re-sending due to Merit's minor outage. > > - ferg > > > ---------- Forwarded Message ---------- > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -- Robert Blayzor <[email protected]> wrote: > >> The fact that they're rejecting on a 5xx error based on no DNS PTR is a= > > bit harsh. While I'm all for requiring all hosts to have valid PTR > records, there are times when transient or problem servers can cause a > DNS lookup failure or miss, etc. If anything they should be returning a= > > 4xx to have the remote host"try again later". > > Oh, wait till you realize that some of the HTTP returns are bogus > altogether -- and actually still serve malware. > > It's pretty rampant right now. :-/ > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > > wj8DBQFGxR1lq1pz9mNUZTMRApQRAKCEOLpuu69A1+B4vCHQTZs+hHLKaACcD1Ak > 9JNwl2i1mL08WNUQSlXBYGM=3D > =3DffuN > -----END PGP SIGNATURE----- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > > !SIG:46e80d6b62576097418713!