Verisign bogosity

Hirsh, Joshua joshua.hirsh at PARTNERSOLUTIONS.CA
Tue Sep 16 15:37:18 IST 2003


 I hate to break it to you, but the firewall rule is basically ineffective
to prevent the hosts from being able to resolve. Your filtering the final
destination for what non-existent domains resolve to. To stop the domains
from resolving, you would have to filter out some of the root DNS servers.

 All your doing is blocking the connection from your SMTP servers to
64.94.110.11, which means the message will just get re-queued and attempt to
be sent again until it expires (4 days later).



 Also, concerning the BIND blackhole filter, isn't that used to reject
client lookups from the blackholed addresses from using your DNS server, and
not restricting what the domains resolve to (which is the desired result)?


 Regards,
-Joshua

-----Original Message-----
From: Remco Barendse [mailto:mailscanner at BARENDSE.TO]
Sent: Tuesday, September 16, 2003 10:30 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Verisign bogosity


The firewall rule would block access to the Verisign server, therefore the
domain will never resolve (this is the way it ought to be) because your
dns server cannot reach it (supposing you are running your own name
servers!).

Remco



More information about the MailScanner mailing list