Are PTR Records Important?

erfmuffin asks: "I work for a medium-sized regional ISP. Recently we configured our email gateway to refuse connections to IP addresses that do not resolve (ie no reverse DNS). I am amazed at how many legitimate domains use mail servers with no PTR record! At the same time, we have avoided a great deal of junk mail in one swoop. Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs? Should all legitimate mail servers have valid PTR records or has the world become too lazy to make email delivery, easier?"

The answer's pretty simple...

[Zeriel]

If you refuse to accept mail without a valid PTR record, and that lowers your user's spam... I'd say PTR records are important. I know most systems I set up check that PTR and A/CNAME records match each other as a first step in determining whether the connection is trustworthy or not. Of course, if everyone did this we might see spammers/crackers setting up technically valid but wholly useless PTR records. At which point, who knows?

No it wouldnt be better

[mnmn]

I host maybe 7 domains, an email server, and several other things from my dynamic-ip DSL connection. Have been maintaining it for over a year with reasonable uptimes. I cant have PTR records or reverse resolution to my domain... but I dont send spam.

Many cottage-industry websites will be closed and not everyone can afford professional hosting services that use Jboss, postgresql, php4, ldap etc. Least fan sites that can make no money, and homepages.

Re:Yes and no.

The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required.

Hang on a second, I'm dizzy. Woo. That's one hell of a circular argument you've got there. I'm still trying to sort it out, but it seems like you might have actually made two full circuits of the argument in that one sentence. Wow.

The implicit assumption behind all of that, though, is that stopping some spam is more important than delivering all legitimate mail. You say so yourself: "I too experience a great deal of mail problems due to a lack of PTR records but, it is worth the effort to stick to this policy." That's completely wrongheaded. Mail should be delivered. That's what it's for. Given the choice between receiving no spam and missing the occasional important email and receiving all spam and getting all my important emails, I would choose the latter any day of the week. And so would most reasonable people, I think. The inconvenience and annoyance of hitting that "delete" key every day is nothing compared to the inconvenience and annoyance of not being able to receive email from a friend or business associate.

Re:The answer is "no"

[Deagol]

The purpose of email is to facilitate communication. That's it.

The same was once thought of having open relays, too. See how we changed out behavior with those?

Re:Yes and no.

After a few attempts the sender either calls their admin or the intended recipient, who then calls me.

See? That's the part where the system is broken. You shouldn't have to do an end-run around ONE method of communication by using ANOTHER. If your email is broken, then your email is broken, and I (as the sender) shouldn't have to be bothered with it.

Typically, I get a thanks via email the next day.

Heh. I find that very hard to believe. If you get a "thanks" I'd be willing to bet it's just dripping with sarcasm. "Thanks for making it so hard for me to send you email, jerk. Next time I'll know better than to try."

But who knows? Maybe the people you deal with are okay with wasting time on this sort of annoyance. I can guarantee you, beyond a shadow of a doubt, that the people I deal with are not.

PTRs should not be required

[0x0d0a]

The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required.

And this is a short-term fix which produces long-term issues. You reduce spam for eighteen months, spammers start just going through PTR-listed servers, and you're back to square one...except now you're using a broken mail system. Or spammers buy a throwaway domain -- they buy throwaway accounts, and a throwaway domain is no more trouble.

I personally run a mail server on my computer, and don't gateway mail it sends. That's the way email was designed to work, and still the way it works best. I think that's pretty legitimate. I get an immediate response when mail delivery fails, can set how long I want resends to be done, and don't have to remember to change my gateway when I move from home to college and back. I have no reason to run out and buy a domain -- I don't have any reason to present a domain to the world.

People requiring PTR records are running broken name servers. Most people that like this mindset -- restrict users for a short term gain -- have in my experience been fairly technically incompetent admins. Block everything except 80 TCP outbound, plop transparent proxies all over, try to convince people to use webmail, block mailservers...they see a short term gain. They aren't engineers, so to them, they've just "solved the problem". Then they wait a year, run into problems (people tunneling everything over 80 or setting up their own VPNs to get reasonable functionality, FTP to a similarly crippled site not working, etc), and try to find a policy-based, rather than a technical, solution. For the rest of the world, they're jerks with a bit of administrative power to abuse. IT people like this are easy to find -- they're the ones that the users resent, the ones that are making tasks more of a pain in the ass for core users, rather than easier.

Just my two cents.

This for that

[n1k0]

This isn't an all-inclusive list of reasons for people's DNS habits, but in my experience these factors seem to be among the most prominent.

1) DNS management is often delegated to the ISP. If that ISP develops such bad habits as ignoring customers' reverse DNS when making updates to forwards, they have a fleet of Internet users with no reverse DNS.

2) IT personnel often don't have DNS authority for their IP addresses because its not worth the hassle for ISPs to give their customers reverse authority for only a few IPs in a subnet. ISPs have varying degrees of friendliness for managing reverse DNS through customer support personnel or a website. For organizations that update DNS often, sometimes it isn't worth the hassle of dealing with the ISP at all.

3) People are lazy and stupid, and reverse DNS doesn't typically affect our daily lives. Most yahoos barely understand DNS beyond pointing and clicking in the Microsoft DNS Server Console (which, ironically, will automatically update PTRs when you make changes to forwards if you so desire). These would be the same schmucks who list CNAMEs as mail exchangers.

The moral of the story is: The number of legitimate email providers with invalid reverse DNS far outnumbers the number of spammers. This is ample reason to NOT refuse to accept mail that has inconsistent forward and reverse mappings.

Consider your business customers; are they going to care about fighting spam when they can't receive email from contacts at other companies? Are they going to want to hear, 'Well tell the person that's trying to email you to fix their server'? I think not.

It would be much different if you weren't an ISP, but I don't feel that the annoyance presented by spam is sufficient reason to effectively tell your customers that they can no longer receive email from a fair percentage of Internet hosts because there's a small chance that they might be spammers. There are effective ways to fight spam that don't inhibit the users' ability to receive legitimate email.

-Nick

ISPs are mostly the problem.

[Ashurbanipal]

Spam and worms are so commonplace because of the greed and incompetence of the really big ISPs.

I could knock out every nimda and code red on comcast.net in 48 hours using their existing equipment. A little gawk, netcat, and snort and the manual for their switches is all I'd need.

Similarly, the 100+ virii and spam I receive every weekend are mostly coming from AOL. I can detect them with MailScanner and SpamAssassin, using a P-133 computer running linux - I suspect AOL could do it too.

But the big ISPs are the problem. They will NOT cut off a paying customer's access regardless of how obviously the customer is abusing that access - instead, they are tracking down people running private websites and NNTP nodes, because they want to be content providers and they don't like competition.

I get 6-700 worm attacks a week on my cable modem at home - all identified by snort and stopped by iptables. All cable modem addresses are VLANS. The cable company can easily monitor them from a central point, and these are mostly KNOWN, EASILY IDENTIFIED worm spoor.

The big ISPs are the biggest part of the problem because:

#1 - they don't care about quality of service as long as they get their money

#2 - they have regional monopolies

#3 - they refuse to co-ordinate with each other

Solve these problems and the Internet will start working properly again.