From: paddy [mailto:paddy(_at_)panici(_dot_)net]
Sent: Wednesday, September 07, 2005 11:49 AM
<...>
okay, I owe you an apology.
Not necessary. This is civil discussion.
I have heard this sort of thing before about
the situation with dsl in parts of the U.S., I never stopped to put
it in the context of PTR records and mail servers in particular.
Don't you have trouble with DUL lists ? or is there some form of
segregation that doesn't go as far getting you a PTR, but alleviates
that pain ?
If you have a dynamic IP, you certain will have trouble with dial-up
DNSBL's. You will likely have outgoing port 25 connections blocked by the
local provider, as well, which makes is harder to run a mail server. Both
DSL and cable companies in the U.S. typically offer static IP's for business
use. Even on those lines, a reverse DNS delegation is often not available.
In areas of the U.S. where there is only one telephone and/or cable company,
the arrangement is often increased regulatory control in exchange for the
state-guaranteed monopoly. The regulators, however, are mostly concerned
with provision of basic services and illegal billing. They neither
understand what it means nor care if the provider delegates the reverse DNS
zone to a broadband customer. I predict that will take quite a while to
change.
I agree that with substancial parts of the network unable to set a PTR it
undermines the (already limited) value of a PTR. I don't see that as a
reason for not regarding having a consistent PTR as desirable, instead I'm
inclined to regard the situation you describe as unfortunate breakage.
Agreed. It is also widespread.
I can certainly see how any such widespread breakage would be a blocker
for using such information in a deterministic accept/reject way, but I've
never advocated that. All I'm saying is
PTR lookups are sometimes useful
MTAs do them on EHLO addresses
which I hope is non-controversial, followed by a naive
isn't it nice when the A record and the PTR match
Yes, it says that the SMTP client has their forward and reverse DNS set up
properly, so they are more likely to be a real MTA rather than a zombied
Windows box. Failing the FCrDNS test should not be sufficient to reject,
though some systems are strict and do exactly that. Stuart's suggestion of
using the EHLO FQDN forward lookup matching the connect IP as an alternative
qualifier is the practical way around the problem. The domain owner has
published an A record saying they have a host with the IP that you are
talking to. That's a pretty good test for legitimacy. Getting rDNS
confirmation makes the assertion a little stronger, as the netblock owner
has allowed the domain to publish their permission to use the IP. Given how
IP routing works, you would have a hard time using an IP that you didn't
have permission to use. I suppose that while difficult, nothing is
impossible when it comes to hacking. The practical question is how many
hosts that fail FCrDNS but pass a forward lookup on the EHLO FQDN are not
legitimate mailers?
--
Seth Goodman
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com