[121189] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Identifying residential CPE IP addresses? (was: SORBS on

daemon@ATHENA.MIT.EDU (Steven Champeon)
Tue Jan 12 15:59:44 2010

X-Received-From: schampeo@tabasco.hesketh.com
X-Delivered-To: <nanog@nanog.org>
Date: Tue, 12 Jan 2010 15:59:01 -0500
From: Steven Champeon <schampeo@hesketh.com>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <6F43E6D0-A9BD-45C0-80F8-9A2A6F11B2E5@jedsmith.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

on Tue, Jan 12, 2010 at 02:59:55PM -0500, Jed Smith wrote:
>   4. For other reasons laid out in this thread, PTR is not the best choice.
>      Additionally, administrators of mailservers who have no idea what a PTR
>      is -- although their entry fee to the Internet mail system is debatable
>      it will not be discussed here -- are now punished by blocklists like
>      SORBS and Trend Micro with the simple crime of not knowing to PTR their
>      mail server with something that screams "static allocation, not CPE".

Mild correction: it's FAR BETTER to use something that screams

I AM A MAIL SERVER WITH A LEGITIMATE PURPOSE AND A COMPETENT ADMIN

rather than just using yet another generic static naming convention. :-)
Because using generic static naming is falling victim to the rather
baseless assumption that all statics should be allowed to send mail,
which is just ridiculous. We've got a /27 (we're a web app dev shop) and
only one of those IPs is a mail source, one is a NAT, one is a VPN box,
several others run Web servers and other services, and so could possibly
emit mail but likely only to us, and we can always whitelist if need be.
I assume that the case is similar in other organizations; their static
IPs far outnumber their canonical mail servers.

Of course, I asked for appropriate custom PTRs for all of them, but
still - the point stands, especially for those who think that generic
static PTRs are sufficient for a modern mail infrastructure. I don't
care who your ISP is, I care who you supposedly are, because if I see
that your mail server (or other hosts on your network) are infected,
compromised, or otherwise sources of abuse directed at my network, I
want to deal with /you/, not with your upstream's abuse desk triage.
 
>      I note, with a heavy hand, that there are no widely-disseminated
>      standards governing the reverse DNS of an Internet host other than this
>      draft, but administrators make decisions on it anyway.

On that and on a wide variety of other criteria, yes.
 
-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news and intelligence to help you stop spam: http://enemieslist.com/


home help back first fref pref prev next nref lref last post