From: "Gary Feldman" <gaf(_at_)rtr(_dot_)com>
To: <Asrg(_at_)ietf(_dot_)org>
Subject: RE: [Asrg] Re: RMX Records
Date: Tue, 4 Mar 2003 20:57:33 -0500
Organization: Ready-to-Run Software, Inc.
Requiring that the reverse DNS domain name matches the
Mail_From domain name is as wrong aad silly as it would be to
requirer that when you send a picture postcard while on
vacation you use your current hotel as your return address.
Neither requirement would reduce fraud, spam, or anything
else that is bad.
While that's often done, the real requirement is that the
sending computer have the authorization to send on behalf
of the purported (i.e. mail_from) domain -- or perhaps
it needs to be at the user level or some other granularity).
However, let me observe that a significant proportion of the
spam I receive can be rejected on the reverse DNS basis, while
only a tiny proportion of legitimate mail would result in a false
positive. So, while it's far from perfect, I don't agree
with your conclusion that it doesn't reduce spam, based on
my own personal empirical evidence.
A significant proportion - I don't know what yopu call significant, but back
in the days when I still tried to trace ISPs or domain owners so that I
could make complaints only about 20% of spam had headers that indicated an
origin outside the domain from which they really originated. Well, I guess
20% is significant, so I won't argue with your choice of term there. On the
other hand, there are so many people who don't understand Reply-To: headers
who decide to tell there MUA to use an address which doesn't match the
machine on which it is running (for example when they use a relay sevice
such as (to pick two current examples) name(_at_)bcs(_dot_)org(_dot_)uk or
name(_at_)acm(_dot_)org -
although users of those two particular institutional relays ought to be
better educated) that maybe am equivalent proportion of legitimate mail
fails to pass the test (at least of legitimate mail addressed to me at the
address I used back then). So, based on my personal experience and
empirical evidence, I think rejection on the reverse DNS basis would do as
much damage to legitimate mail as to spam. Of course the senders of
legitimate mail might then become educated and use the Reply-To: header
instead, so the 20% hit on legitimate mail would fall off quickly (assuming
MUAs are generally intelligent to distinguish Mail From and From:, which not
all are; but presumably spammers would also become more educated, and the
20% hit on spam would fall off nearly as quickly. So I think this approach
is not particularly useful. On other grounds (the cost of these DNS
lookups, which falls on the transfer systems and on the DNS operators not on
the spammer; the general flakiness of some DNS implementations; the ease of
breaking the method by spoofing DNS responses; the likelihood that sysadmins
will not cause these records to be up to date) I think this approach is a
terrible idea.
Tom Thomson
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg