Reverse DNS Question

Steven Champeon schampeo at hesketh.com
Wed Apr 21 17:39:14 CDT 2010


on Tue, Apr 20, 2010 at 11:39:11PM -0500, James Hess wrote:
> EXCEPT....  that is just an example,    don't  actually use a hostname
> like "ip192-0-0-1.example.com."   in real life.
> 
> [*] Certain overly aggressive blacklists assume that the host must be
> a dynamic / dial-up user due to the presence of  "192-0-0-1",  which
> is recognized to be an IP address, so be careful.

While I don't consider my project to be "over-aggressive", you should be
aware that many antispam filtering systems do classify hostnames as a
class by their naming convention (in my case, I have ~52K patterns for
naming conventions in around 27K domains, classified by assignment and
other types and where possible by the technology in use eg static/dsl,
dynamic/dialup) and use those classifications to determine policy. 

So, if you're intending to do the right thing here WRT your PTR naming,
it'd behoove you to indicate at the very least whether these are to be
used by end users (who are more likely to be infected with bots),
whether they're dynamically or statically assigned, whether they're
legit sources of mail, etc. Best current practice is to allow customers
running mail servers to assign custom and appropriate names to said
hosts (including PTR, not just A).

Also, to make it easier for folks running older MTAs without decent
regex support to block unwanted bot mail try to keep the most
significant token to the right hand side, a la

 1-2-3-4.raleigh.nc.dsl.dyn.example.net

instead of

 dsl-1-2-3-4-dynamic.nc.raleigh.example.net

So they can block all mail from dynamics with a simple 'dyn.example.net'
instead of having to collect access.db entries for every city you happen
to provide access to. The rest of the Internet thanks you in advance ;-)

Having some comment or memo in your SWIP for the block that indicates
what the block's IPs are to be used for is also helpful, as when the PTR
is obscure and unhelpful rwhois is the next obvious place to turn for
enlightenment.

I've written up some tips and hints here:

 http://enemieslist.com/news/archives/2009/06/principles.html
 http://enemieslist.com/news/archives/2009/06/basic_principle.html
 http://enemieslist.com/news/archives/2009/06/basic_principle_1.html
 http://enemieslist.com/news/archives/2009/06/basic_principle_2.html
 http://enemieslist.com/news/archives/2009/07/a_passionate_cr.html
 http://enemieslist.com/news/archives/2009/07/why_we_suspect.html

Comments welcome.

As for those supposed blacklists that treat n-n-n-n as an obvious
dialup, they're going to run into a lot of trouble if they try to
classify any of these hosts that way (they are in all likelihood MXen
or outbounds):

203-214-65-42.mail2.fft.com.au
189-17-23-133.alpinet.com.br
mx-189-108-118-122.compertratores.com.br
200-206-157-155.mail.eletti.com.br
200-148-137-195.fundecitrus.com.br
200-206-216-150.corpmail.panini.com.br
200-204-147-132.smtp-gw.scanbrasil.com.br
gate-193-85-144-1.e-one.cz
63-145-232-66.accessintel.com
24-43-168-100.biz.aceweb.com
mm-notify-out-72-21-209-53.amazon.com
69-20-71-3.clearrequest.com
mx-82-102-77-85.infocreditgroup.com
84-45-12-85.interparcel.com
64-128-133-217.static.ithikon.com
s199-126-14-180.local1111.com
adsl-66-139-110-100.midwestrug.com
sm-70-42-226-219.quepasa.com
so-63-131-152-52.serviceobjects.com
216-139-224-52.aus.us.siteprotect.com
151-204-36-17.smtpusa.com
mx-119-92-80-10.theorchardgolf.com
203-214-65-56.mail.thomsettinternational.com
antispam-213-183-191-209.ewe-ip-backbone.de
11-176-40-206-reverse.brazosport.edu
209-184-246-217.labette.edu
124-247-238-41.mail.ashwath.in
186-227-63-74.reverse.wirepressnewsalerts.info
77-49-165-194.celeo.net
mail-36-244-187-78.imzahost.net
66-50-173-37.masso.net
35-225-63-74.reverse.wirepresswirenewsalerts.net
mx-213-48-133-164.aclt.org
host84-233-131-230.19.co.uk
207-193-177-11.crowley.k12.tx.us

HTH,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news and intelligence to help you stop spam: http://enemieslist.com/




More information about the NANOG mailing list