Criminals, The Network, and You [Was: Something Else]

Steven Champeon schampeo at hesketh.com
Wed Sep 12 17:20:02 UTC 2007


on Wed, Sep 12, 2007 at 10:13:00AM -0600, Jason J. W. Williams wrote:
> It seems to me reverse DNS just isn't an acceptable anti-spam measure.
> Too many broken reverses exist with smaller companies (try getting a 3rd
> party to fix it). It's not that hard for a bot to figure out a DSL's
> reverse entry and use that for its HELO. And there are a lot more
> effective pre-processing anti-spam measures, including greylisting (with
> its own problems) and reputation-based systems. 

Your first sentence and your third are in direct conflict, as are your
first and your fourth - please understand that the use of rDNS
(especially generic - as distinct from known dynamic or static) is an
extremely effective tool against the botnets, and can itself be an
extremely useful input into "reputation-based systems".

As for your second sentence, well, you're right in saying that blocking
solely on the perceived absence of, or generic nature of, rDNS naming is
probably prone to false positives, but nonetheless it's not really my
responsibility to ensure that you choose a decent service provider with
the ability to provide proper and current and specific identification
for your IP. If more ISPs dealt with abuse issues on their own networks,
this wouldn't be such a big deal - but it's difficult for me to accept
mail from, say, a host named 'dsl-static-pool.1.2.3.4.bigisp.example.net'
when I've seen hundreds of thousands of abusive messages from hosts with
that same naming convention, all bots. YMM, of course, V.

As for the third, well, now you know why I use generic rDNS detection to
defeat bots. As you say, "It's not that hard for a bot to figure out
[any infected host]'s reverse entry and use that for its HELO". In fact,
that's exactly what many of them do, when they're not forging well known
services or sending unqualified/unresolvable strings in HELO/EHLO. And
that, in itself, is responsible for over a fifth of our SMTP-time spam
detections (and rejections, so there's no outscatter, unlike with a wide
variety of "antispam" appliances, such as Barracudas). It's a sensible
and sane perimeter defense tactic, far better than what I see most doing.

If you're running a mail source, make damn sure it's got non-generic
rDNS /and/ that it's configured to HELO with something that doesn't make
it look like a "bot", and you'll stand a much better chance of
delivering mail to me and my service's users. If you're not, well, the
time is running short for you to fix that brokenness.

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/



More information about the NANOG mailing list