On Wed, Sep 07, 2005 at 03:38:49PM -0500, Seth Goodman wrote:
Not necessary. This is civil discussion.
It's a civil apology :) Hopefully I'm more on the ball today.
Yes, it says that the SMTP client has their forward and reverse DNS set up
properly, so they are more likely to be a real MTA
or the spammer thats spending on a class C that is easily rbl'ed
rather than a zombied
Windows box.
I don't think I've ever seen a mail like that!
Show me spam from a zombied dial-up windows box where the spammer is controlling
the ptr, and I will personally contact the isp and talk nicely to them, and
firewall them out of existence and tell my freinds if they can't or won't fix
it.
Isn't that what anyone would do?
It seems to me this fixes a large enough class of problem to wish for.
Its a real pity if the infrastructure is not there, but as you are pointing
out alternative authentication systems are the solution to that.
Failing the FCrDNS test should not be sufficient to reject,
though some systems are strict and do exactly that.
met them.
Stuart's suggestion of
using the EHLO FQDN forward lookup matching the connect IP as an alternative
qualifier is the practical way around the problem. The domain owner has
published an A record saying they have a host with the IP that you are
talking to. That's a pretty good test for legitimacy.
Now that I think I get what Stuart is saying, what I like is this:
Having alternative authentication methods available provides a fix
for cases like the jupiter.example.org
If a spammer wants to pass the EHLO forward lookup matching the connect
IP from zombie hosts, he needs to spend on .biz domains (or whatever),
and that's gotta hurt.
The real advantage that comes from doing rejects instead of just using
the information is that gives legitimate operators encouragement to
fix their broken systems. (of course it has other nice properties).
For a more gentle approach, one could greylist all such fails, perhaps along
with all of [insert your preferred rbl here] ??
Getting rDNS
confirmation makes the assertion a little stronger, as the netblock owner
has allowed the domain to publish their permission to use the IP. Given how
IP routing works, you would have a hard time using an IP that you didn't
have permission to use. I suppose that while difficult, nothing is
impossible when it comes to hacking. The practical question is how many
hosts that fail FCrDNS but pass a forward lookup on the EHLO FQDN are not
legitimate mailers?
It's not just a question of how things are now, but how they will change
in response to pressure. Avoiding spam is to a certain like being
chased by a lion: there's some value in being faster than the other guy
who's being chased. But in the long run its an evolutionary arms race,
and it pays to think about how much value a given measure has. This looks
like a measure with teeth to me :)
The ratio you describe - spammer fails FCrDNS, but passes EHLO forward - may
be unfavourable now, but pressure on the EHLO forward lookup inevitably has
to knock on into other things. Additionally, as you add other information,
for example if you greylist on FCrDNS, then maybe you can get the value out.
Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com