Reverse DNS and SMTP

We have recently implemented a policy on our mail servers of not
accepting mail from hosts that do not correctly resolve via reverse DNS.
While we on the technical side love the idea, there have been some
questions from the business side of the house.

  If an ISP who doesn't have reverse DNS setup correctly on their
mail servers, we point them to the RFC's and generally offer to help
them correct it.
  We have noticed that our spam has reduced drastically, and the
complaints are few, but alas this is a double edged sword, where if you
even block 1 legitimate e-mail out of the 100K+ that we receive daily,
someone is going to complain.

Just curious if anybody here is doing the same and the response that
they have had from doing so. Replies off list are fine and I will
summarize if people are interested.

Thanks,
Patrick

You are most correct, it is definitely a double edged sword. Let's say
you try to reverse DNS on an address who's nameserver is down or
otherwise unreachable, what then? Some admins I know deliberately do run
reverse DNS as they view it as system cracker tool, or they feel it is
an unwarranted load, RFCs be damned. Is this admin decision the fault of
the user?

You are not first one to try this. I have tried this myself and a
financial type didn't get an important email because of it. You know the
rest of the story.

A better solution is to check the ip and see if it is an MX record for
the domain the mail purports to be from.

Just my opinion, and I could wrong.

-dan

You are most correct, it is definitely a double edged sword. Let's say
you try to reverse DNS on an address who's nameserver is down or
otherwise unreachable, what then? Some admins I know deliberately do run
reverse DNS as they view it as system cracker tool, or they feel it is
an unwarranted load, RFCs be damned. Is this admin decision the fault of
the user?

  Use a non clueless isp. the market is fairly saturated in
most places with service providers.

You are not first one to try this. I have tried this myself and a
financial type didn't get an important email because of it. You know the
rest of the story.

  What I do is format my smtp headers such that a very simple
regex can find mail with no reverse dns and dump it in a spam folder.
I find this catches a lot of the messages.

  I try and let people know but for example, I am unable to
find anyone at American Express or NWA that can fix their dns.
(others are prompt in fixing their dns problems).

A better solution is to check the ip and see if it is an MX record for
the domain the mail purports to be from.

  This has a number of flaws. I won't delve into them though.

Just my opinion, and I could wrong.

  - Jared

Hi
Does anyone know of a program that can flag such things and alter mail headers
on the fly like this?

  Nicole

You are most correct, it is definitely a double edged sword. Let's say
you try to reverse DNS on an address who's nameserver is down or
otherwise unreachable, what then? Some admins I know deliberately do run
reverse DNS as they view it as system cracker tool, or they feel it is
an unwarranted load, RFCs be damned. Is this admin decision the fault of
the user?

      Use a non clueless isp. the market is fairly saturated in
most places with service providers.

You are not first one to try this. I have tried this myself and a
financial type didn't get an important email because of it. You know the
rest of the story.

      What I do is format my smtp headers such that a very simple
regex can find mail with no reverse dns and dump it in a spam folder.
I find this catches a lot of the messages.

      I try and let people know but for example, I am unable to
find anyone at American Express or NWA that can fix their dns.
(others are prompt in fixing their dns problems).

A better solution is to check the ip and see if it is an MX record for
the domain the mail purports to be from.

      This has a number of flaws. I won't delve into them though.

Just my opinion, and I could wrong.

      - Jared

-dan

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Patrick Muldoon
Sent: Thursday, February 28, 2002 1:15 PM
To: nanog@merit.edu
Subject: Reverse DNS and SMTP

     We have recently implemented a policy on our mail servers of not
accepting mail from hosts that do not correctly resolve via reverse DNS.
While we on the technical side love the idea, there have been some
questions from the business side of the house.

     If an ISP who doesn't have reverse DNS setup correctly on their
mail servers, we point them to the RFC's and generally offer to help
them correct it.
     We have noticed that our spam has reduced drastically, and the
complaints are few, but alas this is a double edged sword, where if you
even block 1 legitimate e-mail out of the 100K+ that we receive daily,
someone is going to complain.

Just curious if anybody here is doing the same and the response that
they have had from doing so. Replies off list are fine and I will
summarize if people are interested.

Thanks,
Patrick

--
Patrick Muldoon, Network/Software Engineer
INOC, LLC
doon@inoc.net

Press Ctrl-Alt-Del now for IQ test.

--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.

                     >\ __ /| (`\
                     > o_o |__ ) )
                    // \\
Daemon Technologies(tm) | Phone: 510.895.9667
nicole@daemontech.com |
-------------------(((---(((-----------------------
            - Powered by FreeBSD -
     Email, DNS, SiteeHosting, FTP Services,
  Dedicated Servers, Co-Location, and a Lot More

http://www.spambouncer.org

I have no connection to this software other than being a satisfied user.
-Paul

Once upon a time, Nicole Harrington <nmh@daemontech.com> said:

Does anyone know of a program that can flag such things and alter mail headers
on the fly like this?

If you use sendmail as your MTA, you can configure it to do it with the
check_local rulesets from http://www.digitalanswers.org/check_local/.

You are most correct, it is definitely a double edged sword. Let's say
you try to reverse DNS on an address who's nameserver is down or
otherwise unreachable, what then? Some admins I know deliberately do run

Temporary DNS errors (timeouts reaching a server etc) are/should be
distinguishable
from hard errors (NXDOMAIN responses, no such RR for the queried name),
and the SMTP daemon could/should then react appropriately by using a
5xx error for hard DNS errors and 4xx errors for temporary errors, where
a 4xx error should then result in the sending side queueing the mail
appropriately
for a later attempt.

reverse DNS as they view it as system cracker tool, or they feel it is

You mean don't run reverse DNS? Having good reverse DNS is a requirement
to allow things like tcp-wrappers to work with domainnames rather than
just IP addresses.

an unwarranted load, RFCs be damned. Is this admin decision the fault of
the user?

You are not first one to try this. I have tried this myself and a
financial type didn't get an important email because of it. You know the
rest of the story.

A better solution is to check the ip and see if it is an MX record for
the domain the mail purports to be from.

An MX record always contains a name, not an IP address. Thus, you will still
need
to do reverse lookup on the IP to try and match it against that name. Your
approach
will be further complicated by the fact that MX record do not (necessarily)
list the canonical name of the MTA (ie for which a PTR record exists).

Further, you are requiring that everyone sends mail from the same server
that they
receive mail on. Such a requirement is too restrictive.

What should be checked is that the domain of the sender's address exists and
has a valid MX record (and that the name that MX record points to exists as
an A record), so that there is a chance that complaints/bounces actually can
be returned to the sender.

AFAIK, sendmail (and likely other MTAs) already have facilities to perform
these checks.

One could go further and actually try whether any of those listed MX servers
actually accepts SMTP connections before accepting the mail, but that would
generate
a *lot* of unneccessary traffic and would most likely overload one's own
server too.

Just my opinion, and I could wrong.

same here.

Mathias

Using domain names with tcp-wrappers has some hidden considerations that
95% of the people don't think through...

If you are getting a connection from an IP/name you *would* let in, but
the PTR entry fails on a timeout or whatever, you're rejecting a legitimate
connection. Depending on your paranoia level, this may be acceptable.

If you allow in based on DNS name, you may accept a connection that you
should have rejected. The ususal causes of this are DNS cache poisoning
and related attacks - and of course, these are most likely to happen in
conjunction with an attempted illegitimate connection.

It's probably an OK thing to do *IF* you realize that the DNS can be lied
to, and the connection has to pass OTHER authentication as well (for instance,
if you only accept SSH connections from "your-OK.yourdomain.com", but still
require a valid 'publickey' authentication or similar before actually
allowing it in).