do you use SPF TXT RRs? (RFC4408)

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Oct 4 21:28:11 UTC 2010


On Mon, 04 Oct 2010 17:05:12 EDT, Suresh Ramasubramanian said:
> dig throwaway1.com NS
> dig throwaway2.com NS
> 
> etc etc ... and then check_sender_ns_access in postfix, for example.

Yes, that *is* better than whack-a-mole on the same DNS server, but...

The NANOG lurker in the next cubicle used to do that.  Turned out the
bang-for-buck wasn't as good as we hoped - it doesn't take too many
false-positive errors blocking 20,000 domains hosted on the same DNS server as
one spammer before the collateral damage becomes too painful. Our cost of
dealing with a false positive is a lot higher than a false negative, especially
once you factor in goodwill - people don't like spam, but a false positive on
something they consider important causes more ire than 10x as many false
negatives.

That, and when our block list hit 150K entries or so, its size caused *other*
issues with various things that were never designed for block lists quite that
big...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20101004/745c5033/attachment.sig>


More information about the NANOG mailing list