Home page logo

basics logo Security Basics mailing list archives

Re: educating rDNS violators
From: Niek <niek () packetstorm nu>
Date: Thu, 26 Aug 2004 09:03:53 +0200

On 8/25/2004 1:08 PM +0200, Derek Schaible wrote:

The way this helps spam reduction is that the vast majority of spam
comes from exploited machines running rogue MTAs or some script kiddie

on their DSL or cable modem. Such hosts will typically not have a valid
rDNS entry. Additionally, if a company is sending legitimate email they
In my experience almost all 'western' isps have rdns set on their customer
broadband/dialup ipranges. Sometimes an isp was assigned a new block,
it can take a while, but it usually gets in place.

Rdns is however missing on the majority of Asian ipblocks.
I block China, Korea, and a few other countries with dns blacklists.
90% of the blocked Asian ips do not have (valid) rdns.

will have no issues with you verifying their hosts in this manner. Many
spam attempts will spoof a name of an smtp server that most people will
allow. Adding rDNS stops this action.
Names of smtp servers will still be spoofed even if rdns is in place.
Only something like caller-id/sender-id/spf/domainkeys/'something better
than before mentioned' solutions will help cut it down a bit.

Mail servers should have correct DNS info. Forward and reverse. It is
the sysadmin's responsibility to ensure that their systems are
configured properly. Period.
Hail. Too bad most smtp administrators have no clue.
They install sendmail/exchange/whatever, make sure it works, and never look back.

Of course, there are some companies with correctly configured DNS who
are spam friendly and this tactic will not block them. However, those
companies are few in comparison to the hacked/violated/kiddie machines
that will not have correct DNS info. These spam-friendly systems with
correct DNS info are trivial to black list.
Already layed out, that this is not the case.

Hope this helps, too!

Moral of this all.
If you decide to block hosts with missing or incorrect rdns,
you will loose mail. Period.

If you decide to block hosts with missing or incorrect rnds,
you will still receive spam. Period.

Niek Baakman
Read about mime:         ( )                http://www.geoapps.com/nomime.shtml
Read about quoting:       X     http://www.netmeister.org/news/learn2quote.html
Read about disclaimers:  / \    http://www.goldmark.org/jeff/stupid-disclaimers

Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]