On Oct 5, 2011, at 11:28 AM, Storz, Michael wrote:
Another name for the iprev test is "Forward Confirmed reverse DNS" (FCrDNS).
With Postfix you configure it with the two commands
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
We use this check since years as our first defense against botnet spam with
great success. In the last 7 days we rejected emails for nearly 22.000.000
recipients. 49% did not have a PTR record, 29% did not have a matching A
record. Therefore the FCrDNS was responsible for 78% of all rejections. This
means your statement, that this check is not working, is definitely not true.
This is a pretty ridiculous statement. You use a dubious criterion to reject
78% of messages, and then you claim that because you did that, the check
"works".
However you have to live with a moderately false positive rate. Before we
implemented the check, we analyzed out traffic for 3 months and build an
automatic whitelist with 4.000 wrongly configured MTAs.
There's absolutely nothing "wrongly configured" about an MTA that doesn't have
a PTR record.
Since the beginning of the check we get about 1-2 false positives per week
reported by our users. This second whitelist has 230 entries at the moment.
This means about 4% of the MTAs we accept emails from are wrongly configured.
We can live with that.
Just imagine how many wrongly rejected emails aren't reported.
Stupid spam filtering mechanisms are a DoS attack on email.
Keith