[77100] in North American Network Operators' Group
Re: fixing insecure email infrastructure (was: Re: [eweek article]
daemon@ATHENA.MIT.EDU (Andre Oppermann)
Thu Jan 13 05:22:21 2005
Date: Thu, 13 Jan 2005 11:21:51 +0100
From: Andre Oppermann <nanog-list@nrg4u.com>
To: Steven Champeon <schampeo@hesketh.com>
Cc: nanog@merit.edu
In-Reply-To: <20050113051106.GA30700@hesketh.com>
Errors-To: owner-nanog-outgoing@merit.edu
Steven Champeon wrote:
> on Thu, Jan 13, 2005 at 10:25:18AM +0530, Suresh Ramasubramanian wrote:
>
>>On Wed, 12 Jan 2005 23:19:47 -0500, Valdis.Kletnieks@vt.edu
>><Valdis.Kletnieks@vt.edu> wrote:
>>
>>>On Wed, 12 Jan 2005 19:19:24 PST, Dave Crocker said:
>>>
>>>>In general, that's what dkeys/iim and csv (and maybe spf) are attempting to provide.
>>>
>>>Yes, but he asked for a rDNS solution specifically...
>>
>>I think Steve was referring to some things that can be implemented
>>right away, like "if you operate a mailserver, please make sure that
>>it isn't on a host that has reverse dns like ppp-XXX.adsl.example.com,
>>try to give it unique and non generic rDNS, preferably with a hostname
>>that starts off with smtp-out, mail, mta etc)"
>
> Yep. And it helps if the rDNS is "right-anchored", (uses "subdomains"
> to distinguish between various assignment types and technologies) a la
>
> 1-2-3-4.dialup.dyn.example.net
> ^^^^^^^^^^^^^^^^
> 4-3-2-1.dsl.static.example.net
> ^^^^^^^^^^^^^^^^^^^
> as opposed to
>
> dyn-dialup-1-2-3-4.example.net
> static-dsl-4-3-2-1.example.net
>
> as the former is easier to block using even the simplest of antispam
> heuristics. I'd love to see a convention, or even a standard, arise for
> rDNS naming of legit mail servers. But I'll happily settle for decent
> and consistent rDNS naming of everything else ;)
What is wrong with MTAMARK?
MTAMARK tags the reverse entries of IP addresses where SMTP servers are.
Fixes this problem very fast, efficient and with little effort (script
magic to regenerate the reverse DNS entries).
ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-stumpf-dns-mtamark-03.txt
--
Andre
