fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
joseph.johnson at hostwaycorp.com
Thu Jan 13 15:05:09 UTC 2005
>> Basically a call to operators to adopt a consistent forward and
>> reverse DNS naming pattern for their mailservers, static IP netblocks,
>> dynamic IP netblocks etc.
> ...and to ISPs to facilitate the process by supporting their users who
> want to run mail servers, and helping the rest of us use such techniques
> to quarantine the spew from zombies and less conscientious mail admins.
> I'm always willing to be educated on why it is impossible for any given
> ISP to maintain an in-addr.arpa zone with PTRs for their customers who
> wish to be treated like real admins, as opposed to casual consumer-grade
> users with dynamically assigned addresses.
The problem is it is easier to set it up with a single standard
4-3-2-1.dialup.xyzisp.com then to change the IN-ADDR to mail.customer2.com.
I only have an rDNS entry on the box at home because I used to work for the
ISP. It's still there only because they probably haven't noticed, and will
not until I draw attention to it or I give up the space if I cancel service.
Still, it took me 3 minutes to put rDNS on most of 7 of 16 in my /28. It
existed in their provisioning system to do it, but no one knew how. We
couldn't even market it as a service, because it "didn't exist" in the
system. I can't imagine, though, SBC being able to cope with tens of
thousands of small business DSL accounts suddenly needing rDNS on their
Another question, though, is how they handle IN-ADDR and swip for dedicated
circuits. If they can do it for a T1 customer, can they do it for a DSL
customer? Maybe an online form the customer can maintain? Lord knows that
would be better then trying to call their DSL tech support . . .
More information about the NANOG