Could Be OT: How many people only accept reverse DNS lookup mail?

Jim Holland mailscanner at mango.zw
Thu Aug 17 18:11:11 IST 2006 

On Thu, 17 Aug 2006, Jeff A. Earickson wrote:

> I have tried this with sendmail using the require_rdns.m4 hack from Neil
> Rickert a couple of times in the past, for brief periods (less than one
> day).  The damage was too great IMHO.  I tried it once a couple of years
> ago, and then again a few months ago shortly after AOL announced that
> they would enforce this in their email policies.
> 
> After a few months of AOL beating the world into shape, maybe it is time
> to revisit this issue again...

I have used the require_rdns.m4 hack for some months now, but found too
many problems with the default configuration that gives a 550 error to
systems without valid PTR records (there are too many non-compliant
systems in Southern Africa).  I therefore edited it to give 451 responses
for all three categories:

	no reverse DNS
	unable to resolve PTR record
	possibly forged hostname

The result of that is that most genuine systems that are blocked will then
deliver shortly afterwards to our secondary MX, which does not implement
RDNS checks.  Spammers mostly give up at that point and don't even try the
secondary MX.  Note however that there may be genuine systems that won't
try again - probably the use of one of the standard whitelists from a
greylisting package would be useful here (as greylists also use the 451
response).  However I would expect that many (most?) of the major systems
that have problems with greylisting (eg Yahoo, Gmail etc) would be RDNS
compliant.

As soon as non-compliant but genuine systems are identified, they are 
added to the sendmail access file with an rdns entry to whitelist them.  
(We send out a daily notification to our users with a list of all blocked 
mail, separately from the daily MailScanner notifications we send out.)

This setup is specific to our situation, where we have a secondary MX 
under our control and where the secondary doesn't run RDNS checks.  If 
they both ran RDNS checks I think we would definitely lose too much 
genuine mail.

The total of incoming messages blocked by the RDNS checks is equivalent in
number to around 30% of the number of messages we actually accept for
delivery.  In the beginning it was much higher (due to false positives),
until we got the whitelisting right.  Compare that with the greet-pause
checks, whose ratio of blocked incoming connections to accepted messages
is around 60%.  With all these eliminated, MailScanner blocks a ratio of
15% to the number of accepted messages.

Sorry for the messy way of expressing the percentages, but that is the
simplest for now, and doesn't take into account other mail blocked at MTA
level for other reasons.  At some stage it would be useful to have some
kind of consistent formula to express the overall percentages of blocked
mail, but it is complicated because blocking can be done on the basis of:

	Connections blocked by the firewall or routing tables (for really
	annoying systems such as the one that has made 50,000 attempts
	so far to deliver the same two messages from May up to today)

	Connections blocked by the MTA (sendmail):

		Servers blocked by the greet-pause feature
		(so no data is recorded for sender or recipient)

	Mail blocked by the MTA:

		Blocked by the RDNS checks
		Blacklisted servers, domains and addresses
		Throttled by excessive connections, rates etc
		Mail to invalid recipients

	Mail blocked/quarantined by MailScanner

		Spam
		Viruses/Phishing attacks etc
		Other blacklisted mail

What should be the base figure for percentages?  Incoming connections?  
Incoming senders?  Local recipients?  But this is getting further OT.

In conclusion, I think that RDNS checking has great potential, but needs
more development, eg:

	Pre-configured whitelist (as for greylist packages) that can be
	updated automatically from an external source
	Use 451 errors only
	Temporarily whitelist systems that resend after a reasonable
	interval (using the same logic as for greylisting triplets)

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

> On Thu, 17 Aug 2006, Billy A. Pumphrey wrote:
> 
> > Date: Thu, 17 Aug 2006 09:11:51 -0400
> > From: Billy A. Pumphrey <bpumphrey at WoodMacLaw.com>
> > Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> > To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> > Subject: Could Be OT: How many people only accept reverse DNS lookup mail?
> > 
> > Does anyone only accept email that will do a reverse lookup?  Does
> > anyone recommend it?
> >
> > Thank you
> > -- 
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
>

More information about the MailScanner mailing list