2006-06-23 08:15:09.589901-07:00 [mx] connect(821,localhost,[188.8.131.52])
Notice the "connect" line -- it appears that reverse DNS is resolving
the offered IP address to "localhost". [...]
In any case, spam detectors who rely on "localhost" as the reverse
lookup for an IP address as a condition of passing the e-mail are at
risk of producing false negatives.
Anyone who does anything with untrusted rDNS without making sure it
crosschecks with fDNS is at risk of misfires (either way).
That is, given an address, you do an rDNS lookup and get a set of names
(usually zero or one, but not always). Do fDNS lookups on those,
resulting in a set of addresses for each one; any which do not include
the original address in their sets should be discarded. (If this
leaves zero names, well, treat the IP as having no rDNS.)
Anything else is asking for misfires.
I'd almost go so far as to say that if any of the names fail that
crosscheck, they *all* should be discarded (since it implies there is
forgery going on), but the net is not that well run; in addition to
forgery, there are still far too many version skews, mistakes, and
providers that don't bother to set up the one or the other....
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Asrg mailing list