[77555] in North American Network Operators' Group
Re: marking dynamic ranges, was fixing insecure email infrastructure
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Tue Jan 25 02:39:37 2005
Date: Tue, 25 Jan 2005 13:09:04 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
Reply-To: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Markus Stumpf <maex-lists-nanog@space.net>
Cc: nanog@nanog.org, nanog-list@nrg4u.com,
John Levine <johnl@iecc.com>
In-Reply-To: <20050124212949.GP62086@Space.Net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 24 Jan 2005 22:29:49 +0100, Markus Stumpf
<maex-lists-nanog@space.net> wrote:
> If you look at your logfiles you will notice that > 95% of all legit
> mailservers already have working and individual revDNS.
About the rest of the post - others have commented on MTAMARK ..
I'll just point out that you are generalizing based on a case you see
in your mailserver
I havent got the time to gather stats from our production clusters
right now but a quick grep through the last week's logs on my personal
colo (lots of ISPs in india mail it, some indian users - friends,
family, large local linux lists - on it) .. I'd say that about 40% of
my legitimate email comes from IPs that don't have rDNS let alone
DNAME / MTAMARK.
On our production boxes we get email from around the world for about
40 million users, and I just dont want to try blocking based on no
reverse DNS there .. just not worth the amount of legitimate email
traffic that gets filtered out.
--
Suresh Ramasubramanian (ops.lists@gmail.com)
