spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [spf-discuss] Newcomer question - email admin perspective

2007-01-05 08:41:19
from [Stuart D. Gathman] [Permanent Link] 
On Fri, 5 Jan 2007, Seth Goodman wrote:


All the spam that makes it to content filtering in my system has
perfectly good rDNS.  (And typically sends from class C networks
to boot.)


By perfectly good rDNS do you mean matching forward DNS?


Yes, that is the definition of valid rDNS.  Any ISP or class C block
holder can put anything they want in the PTR records.  They are only
valid when the name resolves to the same IP.

Last such entry in my log file:

n05 10:17:37 [4234] connect from mx03.ptelnews.com at ('69.30.241.237', 56807) 
EXTERNAL
2007Jan05 10:17:37 [4234] hello from mx03.ptelnews.com
2007Jan05 10:17:38 [4234] mail from <ret(_at_)mx03(_dot_)ptelnews(_dot_)com> ()
2007Jan05 10:17:38 [4234] Received-SPF: none (mail.bmsi.com: 69.30.241.237 is 
neither permitted nor denied by domain of mx03.ptelnews.com) 
client_ip=69.30.241.237; 
envelope_from="ret(_at_)mx03(_dot_)ptelnews(_dot_)com"; helo=mx03.ptelnews.com; 
receiver=mail.bmsi.com; identity=mailfrom
2007Jan05 10:17:38 [4234] X-Guessed-SPF: pass
2007Jan05 10:17:38 ID mx03.ptelnews.com:GUESS already in db.
2007Jan05 10:17:38 ham: 0, spam: 1
2007Jan05 10:17:38 reputation score is: -76.159416,0.000002
2007Jan05 10:17:38 [4234] X-GOSSiP: FFtpBDHjfVkBPbp0lK2LMA,-76,0
2007Jan05 10:17:38 [4234] rcpt to <stuart(_at_)bmsi(_dot_)com> ()
2007Jan05 10:17:38 [4234] Subject: Next Scholarship Drawing Just Days Away
2007Jan05 10:17:45 [4234] DSPAM: stuart stuart(_at_)bmsi(_dot_)com

Notice: perfect good validated rDNS, and the entry before that was
mail.clemoteproducts.com, also a validate rDNS.  Once 20 or messages from such
a domain have been quarantined, further connections will be rejected.

A spammer with a class C or delegated rDNS can put validated throwaway domains
into rDNS just as easily as he can create SPF records for them.  He probably
has a script that creates SPF, rDNS, and whatever else is needed to look legit 
for the domain of the week.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: followup: Re: [spf-discuss] libspf2 sample programs, Peter Bowyer
Next by Date:  Re: [spf-discuss] Re: libspf2 sample programs, Stuart D. Gathman
Previous by Thread:  RE: [spf-discuss] Newcomer question - email admin perspective, Seth Goodman
Next by Thread:  Re: [spf-discuss] libspf2 sample programs, Dick St.Peters
Indexes:  [Date] [Thread] [Top] [All Lists]