[Top] [All Lists]

RE: The anti-abuse rDNS check that FTP gave up

2011-10-05 12:33:02

On Oct 5, 2011, at 11:28 AM, Storz, Michael wrote:

Another name for the iprev test is "Forward Confirmed reverse DNS"
(FCrDNS). With Postfix you configure it with the two commands


We use this check since years as our first defense against botnet
spam with great success. In the last 7 days we rejected emails for
nearly 22.000.000 recipients. 49% did not have a PTR record, 29% did
not have a matching A record. Therefore the FCrDNS was responsible for
78% of all rejections. This means your statement, that this check is
not working, is definitely not true.

This is a pretty ridiculous statement.  You use a dubious criterion to
reject 78% of messages, and then you claim that because you did that,
the check "works".

Read the email, the statement of Valdis was,

"so most of Vint Cerf's famous 140 million compromised machines have an rDNS 
entry, which means it's not that effective anymore"

If thiswould be true, the FCrDNS check should only reject a very low percentage 
of "compromised machines". My statistic proves that this is not the case and on 
the contrary it is rejecting 78% which is a very high number. Therefore I say 
the check (still) works. BTW, if we would use the Spamhaus PBL as the first 
criterion, the rejection rate would be nearly 70% and the FCrDNS check would go 
down to a 20% rejection rate.

However you have to live with a moderately false positive rate.
Before we implemented the check, we analyzed out traffic for 3 months
and build an automatic whitelist with 4.000 wrongly configured MTAs.

There's absolutely nothing "wrongly configured" about an MTA that
doesn't have a PTR record.


in which world do you live? Many if not most of the major ISPs reject mail 
servers which do not have a PTR record. From the view of a customer this makes 
a mail server without a PTR record wrongly configured, even if you do not like 

Since the beginning of the check we get about 1-2 false positives per
week reported by our users. This second whitelist has 230 entries at
the moment. This means about 4% of the MTAs we accept emails from are
wrongly configured. We can live with that.

Just imagine how many wrongly rejected emails aren't reported.

If one of our user wants an email they are pretty fast in reporting a reject.

Stupid spam filtering mechanisms are a DoS attack on email.

Right, but this mechanism is not stupid, instead it is clever ;-) It does not 
relate to spam, it does not relate to IP reputation etc., it is just a 
configuration issue which in most cases can be corrected easily by the admin of 
the mail server.