[99251] in North American Network Operators' Group
RE: Criminals, The Network, and You [Was: Something Else]
daemon@ATHENA.MIT.EDU (Jason J. W. Williams)
Wed Sep 12 12:29:26 2007
Date: Wed, 12 Sep 2007 10:13:00 -0600
In-Reply-To: <46E80BD0.80409@satchell.net>
From: "Jason J. W. Williams" <williamsjj@digitar.com>
To: "Stephen Satchell" <list@satchell.net>, <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
Hi All,
It seems to me reverse DNS just isn't an acceptable anti-spam measure.
Too many broken reverses exist with smaller companies (try getting a 3rd
party to fix it). It's not that hard for a bot to figure out a DSL's
reverse entry and use that for its HELO. And there are a lot more
effective pre-processing anti-spam measures, including greylisting (with
its own problems) and reputation-based systems.=20
Best Regards,
Jason
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Stephen Satchell
Sent: Wednesday, September 12, 2007 9:55 AM
To: nanog@nanog.org
Subject: Re: Criminals, The Network, and You [Was: Something Else]
My mail servers return 5xx on NXDOMAIN. If my little shop can spend not
too much money for three-9s reliability in the DNS servers, other shops=20
can as well. When I first deployed the system, the overwhelming=20
majority of the rejects were from otherwise known spam locations=20
(looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs).
The number of false positives were so small that whitelisting was easy
and simple to maintain.
If a shop is not multihomed, they can contract with one or more DNS=20
hosts to provide high-availability DNS, particularly for their=20
in-addr.arpa zones.
It's not hard. Nor expensive.
Paul Ferguson wrote:
> Re-sending due to Merit's minor outage.
>=20
> - ferg
>=20
>=20
> ---------- Forwarded Message ----------
>=20
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> - -- Robert Blayzor <rblayzor@inoc.net> wrote:
>=20
>> The fact that they're rejecting on a 5xx error based on no DNS PTR is
a=3D
>=20
> bit harsh. While I'm all for requiring all hosts to have valid PTR
> records, there are times when transient or problem servers can cause a
> DNS lookup failure or miss, etc. If anything they should be returning
a=3D
>=20
> 4xx to have the remote host"try again later".
>=20
> Oh, wait till you realize that some of the HTTP returns are bogus
> altogether -- and actually still serve malware.
>=20
> It's pretty rampant right now. :-/
>=20
> - - ferg
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.2 (Build 2014)
>=20
> wj8DBQFGxR1lq1pz9mNUZTMRApQRAKCEOLpuu69A1+B4vCHQTZs+hHLKaACcD1Ak
> 9JNwl2i1mL08WNUQSlXBYGM=3D3D
> =3D3DffuN
> -----END PGP SIGNATURE-----
>=20
>=20
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg(at)netzero.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>=20
>=20
>=20
>=20
!SIG:46e80d6b62576097418713!
