Re: More frustrating that not having [ietf] (Fw: Undelivered Mail Returned to Sender)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 17 Dec 2003, Theodore Ts'o wrote:

> On Wed, Dec 17, 2003 at 10:14:43PM -0500, shogunx wrote:
> > On Thu, 18 Dec 2003, Mark Smith wrote:
> > 
> > > I find this more frustrating. I have a dynamic IP address, because
> > > fixed IP address ADSL isn't very common here in Australia. So I use
> > > DYNDNS to map my domain MX records. I can't get matching PTR
> > > records.
> > >
> > > I'm assuming my mail bounced because I don't have matching PTR and
> > > MX records.
> > >
> > > Why should email assume fixed IP addresses for email delivery, or
> > > rather, matching PTR and MX records ?

They shouldn't assume this.  PTR records are optional.  Some places in the
world don't have them at all. Some ISPs don't have them because they
choose not to bother.  Some that choose to bother, don't have them "right" 
per the demands of the reverse DNS checkers.

The claim that "if forward and reverse DNS match, then you can trust the
IP"  is false. No such trust relationship can be deduced from the relevant
RFCs, and the use of reverse DNS is optional.

The few people that promote such configurations are well aware that they
are violating RFCs, and they are aware that they are creating security
vulnerabilities by causing people to place inappropriate faith and trust
in DNS responses.

The "Reverse DNS check" also fails if there is not a one-host/one-IP
mapping. There is no support for this condition in the DNS RFCs so it too
is a false assumption. This condition is often violated by multihomed
hosts.

The usual reason given for this check is to block spam. But they should
also know that spammers neither choose their IP addresses, nor whether
those IP addresses have reverse DNS. Reverse checking as a spam indicator
is just checking the value of random variable that has no relationship to
spam.

It is an irony that the residential ISPs most plagued by spammers
generally have reverse DNS configured such that this test passes. If you
were to use DNS as a spam indicator, it would be more sensible to choose
the presence of Reverse as an indicator of spam, than an indicator of
non-spam.  But it would still be testing the particular value of a random 
variable.

		--Dean
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]