spf-discuss
[Top] [All Lists]

Re: Off-topic: mydnsbl (my "too many failures BL") moving from investigation to testing

2005-01-17 22:46:44
On Mon, Jan 17, 2005 at 03:01:48PM -0700, 
administrator(_at_)yellowhead(_dot_)com
wrote:

I tried to send this to you directly, but your server rejected it with
the following message:
Diagnostic-Code: SMTP; 450 Client host rejected: cannot find your
hostname, [69.36.102.205]


I added the IP to my whitelist.  I'm going to write back shortly (off list)

I have had a few legit messages rejected by the forward-confirmed-rDNS test. I have had to whitelist a few IPs over time, but not a lot... maybe 4 in 6 months.

The most common cause of failures is no rDNS at all, but in some rare cases like this one, there is an rDNS and the forward lookup doesn't give back an IP or it's not the same IP.

The reason for the forward-confirm is to prevent folks who have control over the reverse to give misleading host names that they *don't* control. For example, if the reverse DNS says "hotmail.com" but "hotmail.com" doesn't have that IP, then there is no way to confirm that the IP is really hotmail.com.

Note: It is possible to return multiple names in response to a PTR query. If this happens, at least one of those names needs to point back to the same IP to be forward-confirmed.


ObSPF: this check doesn't have anything to do with HELO, but I have considered using a HELO PASS to override a rDNS failure. That would give folks the ability to hand me a name that I *can* confirm. It might help in cases where the mailserver admin has his own domain name but can't control the rDNS...




--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>


<Prev in Thread] Current Thread [Next in Thread>