[ale] reverse DNS & spam (was: godaddy for DNS)

Crawford Rainwater crawford.rainwater at linux-etc.com
Fri Dec 30 10:26:08 EST 2011


John:

rDNS of the PTR DNS record can be used for many things.  As noted in the following link

http://en.wikipedia.org/wiki/Anti-spam_techniques#PTR.2Freverse_DNS_checks

- Most MTA use a FCrDNS (Forward Confirmation rDNS) to verify the domain name in the "Received:" portion of the header.
- Some MTAs will use FCrDNS to verify the SMTP, HELO, and EHLO portions of the header as well.
- Most MTAs will use rDNS to see where the email is coming from in the case of those clients using a dynamically assigned IP address.  Most will reject the "generic" or missing rDNS information.
- The FCrDNS can be used to link and validate IP addresses to domain names.  This is part of "whitelisting" since it is hard for spammers to fake such when a spam source is coming from such a network.

Just a quick summary of course.  You do have the right idea on how rDNS is used.  You just needed to take it down a level more and think email headers. ;-)  

Your example with SMTP fits under the third item since an SMTP client can be anywhere.  Think using Thunderbird with Yahoo Mail here as an example.  Spamhaus (or similar per memory) flags this method due to the rDNS failure where they will see the sender's ISP -> Yahoo (as a relay now) -> destination.  Even with some "(small) business class" services, some ISPs do not fully permit the rDNS down to the fourth note which can be a PITA for those MTA's using a "higher level" of filtering.  

Part of being a consultant and troubleshooting things for clients on the above.  HTH some more.

--- Crawford
PS: I receive the ALE list in Digest format, so pardon the delays on responding in advance.

The Linux ETC Company
10121 Yates Court
Westminster, CO 80031 USA
voice:  +1.303.604.2550
web:    http://www.linux-etc.com

Please do not print this email unless it is absolutely necessary.  Be friendly to the environment by saving paper.


----- "John Heim" <john at johnheim.net> wrote: -----
> 
> Wait a minute, something doesn't make sense to me. Why would a mail
> system
> do a reverse lookup as a way to prevent spam? So the smtp client
> connects to
> the mail server, the socket says the connection is from 66.170.20.226
> and
> the smtp headers say its from lists.iavit.org. If you lookup
> lists.iavit.org, it does resolve to 66.170.20.226. That should be fine
> because if I'm a spammer and I'm using an account on 66.170.20.226,
> I'm
> going to say I'm somebody *else*. You know, I say I'm
> Bill.Gates at microsoft.com or something. If you lookup microsoft.com,
> you
> don't get 66.170.20.226. Really, just the fact that lists.iavit.org
> and
> iavit.org resolve to the IP address of the smtp client should be
> enough. How
> is a spammer going to fake that? Yeah, I'm sure they could but it
> would be a
> heckuva lot of work.
> 
> There is this SPF record thing where it asks the DNS server for hosts
> allowed to send mail for that domain. That makes sense to me. I can
> understand that. But I don't get the reverse lookup thing. It seems to
> me
> that would block a lot of legitimate mail for no reason.
> 
> Maybe I'm getting "reverse DNS" mixed up with something else.A forward
> lookup is when you take a name and get an IP address from it. Reverse
> lookup
> is when you take the IP and get its name. Right?
> 


More information about the Ale mailing list