From: Scott Nelson <scott(_at_)spamwolf(_dot_)com>
...
Reverse DNS is controlled by the IP.
If they have an rDNS, you would do about as well by skipping
the rDNS and using the HELO to do a forward look up.
Of course, having rDNS is also a sign of clue,
and many spammers are lacking in that which makes the mere presence
of rDNS a good test.
The RMX check as I understand it is intended to ask the people who own
the envelope sender domain name if the IP address of the SMTP client is
authorized to send mail with that sender name. If the HELO value matches
the sender name, and if one of the IP addresses of the HELO value is that
of the SMTP client, then the SMTP client is authorized.
The reason to check reverse DNS name is to cover the case when the
SMTP client is authorized to send mail for more than one domain name.
And I think it would have a better false positive rate /and/ a better
false negative rate then reverse DNS + envelope sender domain.
Lots of spam has forged headers and envelopes. Some spam even
has forged rDNS. Both would catch the first part, but only
RMX would catch the last.
How do you "forge" reverse DNS? My dictionary says that forgery has
something to do being false. If you check that one of the IP addresses
for the reverse DNS name is IP address whose reverse DNS name you
looked up, then reverse DNS forgery is practically impossible for
spam. (Of course, without DNSSEC, there are other attacks, but they
could also be used against the RMX bits.)
...
Wouldn't be simpler to tell everyone to compare your sender domain name
with your reverse DNS?
rDNS does not support multiple domains.
with rDNS, if you have two vanity domains you need two IP addresses.
That seems to be based on the mistaken notion that there can be only
a single PTR RR per IP address.
if you run an email service you might host hundreds of domains
per IP. So, yes, if you're one of those people it's a lot simpler,
because you couldn't support rDNS at all.
That's mistaken. If one of your IP addresses is used for hundreds of
domain names, you would not want hundreds of PTR RRs. (I've known of
ISPs that hosted thousands (1000s) of domain names per IP address.
That forced the code of my UNIX vendor employer at the time to be a
lot smarter than the classic BSD TCP code when mapping names to
interfaces.) Instead, as I tried to say but was doubtless not clear,
when to the simple comparision of PTR RR values to STMP envelope sender
domain name fails, SMTP servers might be satisfied if one of the MX
RRs for the sender domain contains the SMTP client IP address.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg