Are PTR Records Important?

erfmuffin asks: "I work for a medium-sized regional ISP. Recently we configured our email gateway to refuse connections to IP addresses that do not resolve (ie no reverse DNS). I am amazed at how many legitimate domains use mail servers with no PTR record! At the same time, we have avoided a great deal of junk mail in one swoop. Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs? Should all legitimate mail servers have valid PTR records or has the world become too lazy to make email delivery, easier?"

Well

[Joe+the+Lesser]

They are certainly just as important as TPS reports, if not more so.

Have you sent a memo?

Re:Well

[TubeSteak]

This is very much on-topic. erfmuffin is complaining because people
aren't putting coversheets on their TPS reports... Its easy to forget but necessary to do

Yes and no.

[FreeLinux]

PTR records are not necessary. They are not required for the internet to work acceptably. But, PTR records do add considerable convenience to network operation and they are a part of the DNS standard specification so, they should be used.

The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required. I too experience a great deal of mail problems due to a lack of PTR records but, it is worth the effort to stick to this policy. If you don't have a PTR record, you can't send me mail!

Re:Yes and no.

The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required.

Hang on a second, I'm dizzy. Woo. That's one hell of a circular argument you've got there. I'm still trying to sort it out, but it seems like you might have actually made two full circuits of the argument in that one sentence. Wow.

The implicit assumption behind all of that, though, is that stopping some spam is more important than delivering all legitimate mail. You say so yourself: "I too experience a great deal of mail problems due to a lack of PTR records but, it is worth the effort to stick to this policy." That's completely wrongheaded. Mail should be delivered. That's what it's for. Given the choice between receiving no spam and missing the occasional important email and receiving all spam and getting all my important emails, I would choose the latter any day of the week. And so would most reasonable people, I think. The inconvenience and annoyance of hitting that "delete" key every day is nothing compared to the inconvenience and annoyance of not being able to receive email from a friend or business associate.

Re:Yes and no.

[Fluffy+the+Cat]

This depends a lot on how much spam you get. Over the past year I've been averaging over 50 a day (I should really graph this to see which direction it's going in). Spamassassin generally stops somewhere around 95% of this, though it's lower at the moment. That's about 4 times the amount of legitimate mail I get. Without spamassassin, I'd be finding email almost entirely useless, and at that point I'd be happy to bounce (but not drop) some legitimate mail in order to reduce the spam load.

Re:Yes and no.

[FreeLinux]

That's completely wrongheaded. Mail should be delivered.

I gues that you are entitled to your opinion but, I feel that the action is correct. The fact is that this policy works very well for me. The mail does go through, eventually.

Here's how it works. A user tries to send a message to someone inside my company. The message fails, of course, because my mail server rejects the connection due to the lack of a PTR. After a few attempts the sender either calls their admin or the intended recipient, who then calls me. Either way, the admin and I talk. He/she says your mail server is broken. I say no, it isn't, yours is misconfigured. Try sending a message from your Yahoo account and you will find that it is delivered. He/she then says, so why can't I send any mails to your domain. I respond that it is because your DNS is misconfigured. Call your ISP and ask them to add a PTR record for your mail server and the mail will flow.

Sometimes there is question about this along the lines of; well why can I send to these other domains? I explain that some administrators are willing to accept mail from misconfigured systems because there are so many of them and it makes the administrator's life easier. I then say; Trust me, call your ISP. It only takes a couple of minutes and you will never have to deal with this problem again.

Typically, I get a thanks via email the next day. If they refuse to make the changes I point out to my user that they are receiving mail from everywhere else just fine and they can even send to this broken domain. Thus, our mail system is working correctly and the problem is at the far end. Done.

Re:Yes and no.

After a few attempts the sender either calls their admin or the intended recipient, who then calls me.

See? That's the part where the system is broken. You shouldn't have to do an end-run around ONE method of communication by using ANOTHER. If your email is broken, then your email is broken, and I (as the sender) shouldn't have to be bothered with it.

Typically, I get a thanks via email the next day.

Heh. I find that very hard to believe. If you get a "thanks" I'd be willing to bet it's just dripping with sarcasm. "Thanks for making it so hard for me to send you email, jerk. Next time I'll know better than to try."

But who knows? Maybe the people you deal with are okay with wasting time on this sort of annoyance. I can guarantee you, beyond a shadow of a doubt, that the people I deal with are not.

Re:Yes and no.

[Benno...]

And you still have a job?

Re:Yes and no.

[systemaster]

I completly agree, just because a reverse lookup doesn't work doesn't mean that possibly valid mail shouldn't be let through. I've frequently looked at spam and very often the @name.com doesn't even exist!!! I mean the URL is not valid. BUT why has nobody tried enforcing forward lookups? My IP officially is dynamic and the reverse lookup is basically MYIP.MYISP.com BUT my forward lookup WILL resolve to my current IP. I would prefer that mail servers if spam is such a problem, check the forward lookup, it would stop a ton of spam and not screw people like me with the disadvantage of an offically dynamic IP.

Re:Yes and no.

[Grishnakh]

I'd rather hire this guy than some moron who just let the mail server accept spam from anywhere.

The answer's pretty simple...

[Zeriel]

If you refuse to accept mail without a valid PTR record, and that lowers your user's spam... I'd say PTR records are important. I know most systems I set up check that PTR and A/CNAME records match each other as a first step in determining whether the connection is trustworthy or not. Of course, if everyone did this we might see spammers/crackers setting up technically valid but wholly useless PTR records. At which point, who knows?

No it wouldnt be better

[mnmn]

I host maybe 7 domains, an email server, and several other things from my dynamic-ip DSL connection. Have been maintaining it for over a year with reasonable uptimes. I cant have PTR records or reverse resolution to my domain... but I dont send spam.

Many cottage-industry websites will be closed and not everyone can afford professional hosting services that use Jboss, postgresql, php4, ldap etc. Least fan sites that can make no money, and homepages.

Re:No it wouldnt be better

[Zeriel]

Doesn't your ISP have PTR records anyway, though? Even if it resolves to something like modem212-yourstate-yrcty.adelphia.com like my cable modem does, it's still a valid PTR record.

If your ISP doesn't do this, might I suggest shopping around for a new one?

I was under the impression the original question referred to completely nonexistent PTR records (that resolve to NXDOMAIN or similar).

Re:No it wouldnt be better

[BigBadaboom]

Then your solution would be to send your outgoing mail through your ISPs mail server.

I suspect more and more ISPs are going to follow what AOL did and reject mail from DSL addresses, so you are going to face problems in the future with this sort of setup.

Re:No it wouldnt be better

[Zeriel]

Hey, if MY ISP didn't follow what I thought were correct standards, I'd switch in a heartbeat. Hell, if my electric company's power browned out and varied in voltage all the time, I'd switch if it were possible, too. Switching ISPs is a hell of a lot easier than switching electric companies, most places.

Original poster said "I can't do business because my ISP has no (X)".
My response was "go someplace that provides (X)".
Your response appears to be "Everyone should go out of their way to not need (X) anymore".

I think maybe it might be a better solution overall if ISPs who were dumb about PTR records lost customers.

Incidentally, where I live it's both possible and a fairly good idea to shop around for a new electric company. =P

Re:No it wouldnt be better

Your response appears to be "Everyone should go out of their way to not need (X) anymore".

Yes, that's mostly right. But rather than saying, "everyone should go out of his way not to need X any more," I'm saying, "no one should go out of his way to require X." See the difference?

No one should be required to change ISP's because somebody else set up a mail relay in such a way that it arbitrarily rejects messages based on PTR records.

Re:No it wouldnt be better

[Harik]

People choose their ISP's for various reasons: price, quality of service, convenience. What kind of drangles they use on their gimlets should not be one of them.

Quite right! Who cares about standard things like DNS when you can just use WINS! Send packets to the broadcast address and hope the right machine responds.

Hell, people who want their ISP to support PPP or IPv4 are just being bitchy. Nobody needs more then IPX over SLIP anyway.

--Dan

Re:No it wouldnt be better

[itwerx]

He's taking the previous poster's position to its logical extreme, thereby making it painfully obvious that the previous poster did not have a good argument.
Or were you just trolling? :)

silly

[rumpledstiltskin]

I should be allowed to send mail from my own connection and not have to worry about my isp crapping out on me (which happens, from time to time). if I run it from my own place, I know whether the mail server is fscked up or not.

Thats all well and fine

[haplo21112]

...except its nearly impoosible to set one up when you only have a single IP for your domain...
I know there are tricks, one can play but i have yet to see one that works acceptably...or am I not reading the right HOWTO's...

My domain is hosted on the single IP I get from my cable modem. My DNS/WEB/Mail/etc are all hosted on the box connected to that cable modem...
so if a reverse DNS is required to get mail from me, I guess its impossible for me to send mail to such a system, because I have yet to get the DNS server to reverse map me correctly...I've tried...

Re:Thats all well and fine

[dbrutus]

If you got 256 addresses with your broadband connection, how much more would that be worth?

I say IPv6 to the rescue. A broadband ISP that did that (used IPv6 and gave out lots of IP addresses with each DSL line) would have a distinctive market opportunity.

Discussion on spam, reverse DNS, etc.

[knightwolf]

You can find a small discussion of the topic on the Missouri Linux Users group - See this for a sample and just look for the "More spam" subject messages.

There are a LOT of places though that don't set these records, and filtering out these sites will drop a LOT of emails that actually might be valid.

Re:Discussion on spam, reverse DNS, etc.

[Harik]

There are a LOT of places though that don't set these records, and filtering out these sites will drop a LOT of emails that actually might be valid.

Yes, but our point is that those servers are misconfigured. It's not MY job to configure YOUR mailserver properly. Mine works and will continue to work properly. If _YOUR_ mailserver can not get YOUR email out, who's problem is it?

I suppose I should quit using the open relay/open proxy blacklists as well, since someone might really send email from one of them. Right?

I won't go so far as to require the HELO/EHLO to match the reverse DNS, since there's thousands of legitmate scenarios where this might not be the case. Generally speaking, it's a firewalled mailserver and you're seeing the IP of the firewall. I DO require, however, that the forward lookup of the HELO matches the IP connecting to me.

--Dan

Re:Discussion on spam, reverse DNS, etc.

[rplacd]

If _YOUR_ mailserver can not get YOUR email out, who's problem is it?

In my case, it's my problem, and my ISP's fault. My ISP doesn't provide reverse DNS. I've heard all sorts of excuses like "no one else has ever asked for it", etc. I've tried several people, on several occasions, and no one's willing to do the work to get me reverse DNS. Hey, it's a telco monopoly.

So I guess you'll never get mail from pretty much anyone in my country...

Well,

[Sevn]

I know I've never taken anyone seriously that can't
be bothered to set their forward and reverse DNS
properly. Chances are it's joe cablemodem user
with his Win2k server. I'd say it's more important
to do the checking for things like mail, http,
https, etc. and less important for things like
gaming servers and p2p file sharing. :)

Re:Well,

[jobugeek]

Chances are it's joe cablemodem user with his Win2k server

I think you are trolling here with that comment, but I'll respond anyway. Win2K DNS has a simple check box that makes the PTR record for you. I'd bet $20 that most of incorrectly set up DNS machines are people running old versions of BIND.

Re:Well,

[studerby]

Win2K DNS has a simple check box

And if you don't remember to set the simple-minded check box on from its default off state EVERY GODDAMN TIME you end up with an inconsistent set of records. I used to have a reminder set monthly to go clean up our win2k DNS (until we got some competent admins who knew what PTR records were).

The answer is "no"

Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs?

No. Why? Let's look at this philosophically.

The purpose of email is to facilitate communication. That's it. One person sends an email to another with the intention that the message be received and read. The sender implicitly assumes that the message will, in fact, be received by the recipient, because the email system is based around that assumption. If the system works correctly, your mail will be delivered.

Any failure to deliver mail is a failure of the system. Period. The system exists to put mail in mailboxes, not to selectively put mail in mailboxes.

Now, spam. Spam is a problem, sure. It's not nearly as big a problem as a few people seem to think it is, but it's a problem. But the correct solution to the problem of nuisance mail is not to break the implied contract between the sender and the mail system as a whole. "Your mail will be delivered to its recipient." That's the implied contract. (I'm speaking metaphorically. There's no actual contract here, of course.) Anything that bolts on an "except" or "unless" to that implied contract is a bug, not a feature.

Now, in my opinion the correct way to deal with spam is to filter it on the receiving end. All mail should be delivered, but the recipient's automation may choose to flag some messages based on their content or their envelope or whatever. Some carriers don't like this idea because it requires them to deal with mail that people don't generally want to read, but choosing not to deal with certain pieces of mail is far worse.

That's the abstract argument. Here's the concrete one. If I send a piece of mail, I generally have no control whatsoever over, or even knowledge of, the bits and pieces that make up the delivery chain. My message leaves my computer and goes to an upstream server which then delivers it to another server, which then delivers it to the recipient. If that delivery process should fail because of the way the machines in the middle are configured, then that's going to be a problem for me. A very serious problem, over which I have absolutely no control.

Look at it this way. Let's say the postal service institutes a new regulation that no letters will be delivered if they're picked up by a mail carrier in brown shoes. Okay? Only white-shoe-wearing mail carriers are authorized to pick up mail. The mailman who serves my neighborhood forgets to wear his white shoes tomorrow when he picks up my outgoing mail. He gets to the post office and is told, summarily, that none of the letters in his bag will be accepted for processing because he's wearing the wrong color shoes.

How would I feel under those circumstances? Annoyed. Really annoyed. And so would all the other people on my block.

People who manage email servers really need to adopt the mailman's philosophy: we don't care what the mail is. We deliver it. No matter what, if it's got adequate postage on it (which doesn't apply to email), we deliver it. Neither rain, nor sleet, nor dark of night... and so on.

Re:The answer is "no"

[Deagol]

The purpose of email is to facilitate communication. That's it.

The same was once thought of having open relays, too. See how we changed out behavior with those?

Re:The answer is "no"

[BigBadaboom]

Now, in my opinion the correct way to deal with spam is to filter it on the receiving end.

Spoken like someone who doesn't get much spam, and doesn't pay for traffic.

Re:The answer is "no"

The same was once thought of having open relays, too. See how we changed out behavior with those?

Yes, and I think that's a giant step backwards. I'll give you an example. A coworker of mine used to carry a laptop. While at home, he would dial in to the Internet through Earthlink and send and receive email. In those cases, he had to send email through the Earthlink SMTP server, because outgoing SMTP connections from Earthlink were blocked. He couldn't connect to the company's SMTP server at all from his house.

Back at the office, though, he was unable to send email through Earthlink's SMTP server, because it was set to reject any connection from outside the Earthlink network.

So the net result is that my coworker had to go in to twiddle with his email settings every time he came into the office and every time he went home.

Now, sure, it would be nice if the OS provided a facility for doing this for him. I think Mac OS X's Locations feature allows you to do this, but since I'm not laptop-enabled these days I don't know for sure, and I have no idea whether it's possible on Windows or not. But in a perfect world, it shouldn't even be necessary.

It all goes back to that philosophy thing I talked about in my last post. The purpose of the email system is to DELIVER the mail, not to selectively reject mail based on various criteria that the sender usually has no control over. Filtering should only be done at the receiving end. In other words, the transport should be guaranteed to be reliable.

Now, if you want to somehow modify the SMTP protocol itself so all connections have to be authenticated, then that's fine. But arbitrarily accepting or rejecting connections based on topology is a lousy idea.

Re:The answer is "no"

[Zeriel]

Most e-mail clients I use provide the ability to use multiple sets of e-mail settings...Eudora 5.x (which I use) and IIRC Outlook both do this.

Re:The answer is "no"

[Zeriel]

I agree entirely, which is why my personal SMTP server authenticates on a per-user basis and you can contact it from anywhere on the net.

I don't understand why more sites don't use this, I just commented that workarounds for the problem you're facing DO exist.

Re:The answer is "no"

[Cecil]

But the correct solution to the problem of nuisance mail is not to break the implied contract between the sender and the mail system as a whole. "Your mail will be delivered to its recipient." That's the implied contract. (I'm speaking metaphorically. There's no actual contract here, of course.) Anything that bolts on an "except" or "unless" to that implied contract is a bug, not a feature.

Apply that paragraph to the postal mail service. So, if someone sends you anthrax, or a rod of plutonium, then the post office should be required to deliver it and it's up to each individual to put it in containment and safely dispose of it, nevermind the danger of transporting it in the first place? What if you don't put a stamp on your mail and try to send it? Is the post office still obligated to deliver it?

That just doesn't make any sense. It is entirely within the rights of the mailman to say "Sorry, I'm not delivering this, because you have a rabid dog.", and email does the exact same thing with bounce messages.

The email system is allowed to have rules just as any other system is. If you don't follow those rules, then the system is not obligated to (and would be expected not to) do what you asked, even if that's its explicit purpose. Some of the rules in the email system are written rules, such as those in the RFC. Others are ad-hoc rules such as denying mail if you don't have a PTR record.

As far as email being a system for communicating, you may not get enough spam to make a difference, but signal-to-noise ratio is an important part of communicating, and don't assume everyone gets the same amount of spam you do. Deal with it. We are.

Re:The answer is "no"

[dbrutus]

Both Mac OS X and Mac OS classic provide locations which do, in fact, take care of this issue. Make a new location, swap one setting, and all your network settings change between sets.

The problem with filtering at the receiving end is that you have an entire transit infrastructure that has to be radically upsized for mail that is simply not going to be read in the end. That works for a postal system where transmission has costs associated with it but here we have a system where sending is essentially free but routing all those bits across the internet is not (at least not in the kind of huge streams of data most ISP's handle).

I think you make a mistake when you differentiate between filtering by individual user and filtering by site. Think of properly configured PTR records as the equivalent of a clause in standard international mail delivery treaties. Such things do exist and they guarantee that my mail will be able to go from one country to another. Under certain circumstances (war, sanctions) direct mail simply does not go through (USCuba being a recent example).

Fortunately, the technical solution is simple in this case, configure your PTR records properly. If you're small and don't have sufficient IPs then stop accepting the limitations of IPv4 and start asking for IPv6 and a decent block of static IP numbers.

Re:The answer is "no"

[ToadSprocket]

Now, in my opinion the correct way to deal with spam is to filter it on the receiving end. All mail should be delivered,

Wow, apparently you don't run a mail server that gets 2.5 million messages a day. You can upgrade your mail servers all year round as an exercise in futility, it's fun. Add a new CPU and more memory, and your relays will be happy for a few hours, then end up where you have been for the past year... with 40,000 messages queued up waiting for delivery. You have just built a more powerful box for the spammers. Congrats!

No way, man. If you don't have reverse DNS, you get dropped. Period. Do some spammers have reverse records? Sure. But you just eliminated a huge portion of the DSL spammers, Dial Up Spammers, and the Mom and Pop spammers.

Re:The answer is "no"

[sid+crimson]

I might not understand your point correctly, but... if I do, then:

By your rationale, shouldn't RBLs and the like quit blacklisting an entire /24 when only a /28 or /29 is offending us with spam? I can think of a few who do.

Just curious. :-)

-sid

Re:The answer is "no"

[sid+crimson]

By your rationale, shouldn't RBLs and the like quit blacklisting an entire /24 when only a /28 or /29 is offending us with spam?

Yes.

I agree also. One of my clients managed to get a /28 within the same /24 with a 'spammer.' I posted this info and a request for an update to the mail-abuse section of groups.google.com and got an earful of reasons why my client should be penalized for their 'neighbors' actions. And good luck getting removed from the blacklist in any reasonable amount of time.... the offender was kicked from the ISP 4 months ago and my client's IP block is still listed. And my client is bound by a contract to boot -- no way do they have the resources to fight Sprint on this issue.

Not that i approve of the spam, the spammer, their ISP for allowing it, or disapprove of the RBLs for doing something about it -- but crossing a network boundary is extreme and less than truely helpful, if you ask me.

-sid

Re:The answer is "no"

[dubl-u]

The purpose of email is to facilitate communication. That's it.

Very true. And spam hinders that. I'm getting 2:1 spam vs real mail these days, and it's only getting worse. If I can get rid of a bunch of spam, that will improve email's power to facilitate communication by some factor; let's call it x. Now if that action also impedes communication for some users and we call that y, then using your theory, we should take that action in the cases where x > y.

In my experience, rejecting mail from poorly maintained networks (no PTRs, invalid HELO strings, or on various RBLs) results in a net increase in facilitated communication.

If I send a piece of mail, I generally have no control whatsoever over, or even knowledge of, the bits and pieces that make up the delivery chain.

I can't speak to your knowledge, but you're wrong about the control. If your ISP isn't maintaining their network properly or is spewing spam and gets on RBLs, then you should change your ISP. Last I checked, very few ISPs are using assault weapons to keep their customer base from defecting.

postal service institutes a new regulation

I hate to undermine your frothing here, but this sort of thing goes on all the time.

Any calls without valid caller ID to my phones get diverted to a service called Privacy Manager. I throw away about 90% of my paper mail unopened; if it looks like junk mail, out it goes. The postal service places a large number of restrictions on what you can mail and where you can mail it from. The customs service treats packages and travellers from Canada very differently from those that come from Colombia. Many places (e.g., California, Australia) strongly restrict the kinds of food and plants you can bring in. And let's not forget the travel restrictions, trade restrictions, and quarrantines brought on by diseases like BSE, hoof-and-mouth, and most recently, SARS.

All of these involve using simple, approximate rules to sort the good from the bad. This isn't perfect, but people deal with it because perfect is awfully expensive. It happens all the time, and the exponentially growing flood of spam means that it will happen with email, too.

Re:The answer is "no"

[Bartmoss]

Your examples are very arbitrary. The idea behind only accepting correctly resolving mail is that it makes it much more difficult to pretend to be from, say, hotmail when you're not. You have to have access to both forward and reverse mapping to fake it.

Re:The answer is "no"

[dbrutus]

You can't just hide your head in the sand. Email, like everything else in the Internet, is a voluntary service and there is no law requiring that ports 25, 110, and 143 have to be accepted for transit across your network from any other network.

People don't mind carrying legitimate mail for free because legitimate stuff actually doesn't cost enough that the costs outweigh the non-monetary benefits. If you say to large networks that they're just going to have to eat a never-ending cost black hole of more and more spam they're either
a. not going to listen and site filter
or
b. work on draconian legislation to put people in jail.
I much prefer
c. set up some sort of filtering mechanism where mail you send can be traced back to you or if you're using some sort of anonymizing software that you can't send more than a thousand or so messages per day.

DUCK! QUICKLY

[wowbagger]

You have suggested limiting Mr. 31337's ability to send any email he wants from his ub3rb0x3n without doing any real setup, like getting a proper reverse lookup established.

FOR THE LOVE OF $DEITY MAN, DUCK AND COVER!

You are about to be flamed by all the "How DARE you limit me! I have the $deity-given right to send email from ANYTHING, and YOU are wanting to RESTRICT IT! YOU BASTARD FACIST COMMIE!" types.

Personally, I would want my mail server configured to do something like this:

Get Host's name as given in EHLO.
Look that name up.
if (IP address from DNS != IP address talking to me)
Bugger off spammer
endif
reverse look up IP address talking to me
if (name from DNS != name from EHLO)
Look up name from DNS
if (ip address from lookup != IP address talking to me)
Bugger off spammer
endif
endif
Accept mail.


(It is assumed the "bugger off spammer" state is a terminal state).

This way, even if your box's reverse lookup is foo.bar.baz.adsl.example.com rather than mybox.example.com, so long as foo.bar.baz.adsl.example.com resolves to your IP address you wouldn't be rejected.

Re:DUCK! QUICKLY

[XenoBOFH]

Question:
Does anybody know how to configure postfix to behave like that pseudo code.

TIA.

Yes, it has

[linuxwrangler]

...has the world become too lazy to make email delivery, easier?

I don't know of any specific RFC that requires reverse DNS for SMTP but the RFCs do require that the HELO/EHLO be 1) fully qualified and 2) resolvable.

I strongly recommend enforcing that rule even though you will be amazed at the number of mailservers that are not configured properly to follow this basic requirement of RFC2821.

Naturally it's not a bad idea to then look up the EHLO domain and make sure it resolves back to the connecting IP. Something like 25% of the mail I reject is rejected for greeting me with my own IP or hostname.

Re:Yes, it has

[musicgreg]

I think that RFC1912 2.1 says you should have a reverse DNS for all your mail servers.

Odd that you ask...

[aster_ken]

...considering I just finished setting up PTR records for all 172 of our domain names. It's not at all difficult, and it doesn't exactly take up a lot of time.

Actually, I didn't even know they were "optional" (if not in the standard then in practice). Oh, well... I guess that makes me a responsible net. admin.?

While I'm talking about DNS, since this is my first go at it, what is this "@" sign that I see in example db.domain files?

Re:Odd that you ask...

[Rheingold]

Are you assigning a separate IP address to each of your domain names? That's crazy expensive, given the cost of IP space. If not, you've created multiple PTR records for the same address, which is not valid. (While names can sensibly have multiple addresses, it doesn't make a lot of sense for an address to resolve to multiple names.)

The '@' is a, um, macro or variable (I forget what the offical name for it is) that is the name of the zone (i.e., the domain). You can use this mechanism to use one or a limited number of zone files for all the domains you host, assuming most are the same (which they typically are if you're doing bulk web hosting).

Re:Odd that you ask...

[aster_ken]

I see what you mean about the pointers.

Yeah, all but three of those domains point to the same IP address.

Your analogy is flawed

[wowbagger]

Your analogy of email to postal mail is flawed.

A better analogy would be:

"What if the post office refused to deliver any mail that did not have a correct return address on it."

And guess what? In this post-911, post-anthrax mail, THEY WILL! You don't put a return address on the mail, they drop it - the Post Office I use has that sign right over the drop box.

Re:Your analogy is flawed

"What if the post office refused to deliver any mail that did not have a correct return address on it."

If we were talking about valid return addresses, that would be fine. But we're not. We're talking about IP-address-to-name mappings, a feature of the IP system that computers themselves were never intended to make any real use of in the first place.

Now, to extend the analogy to the breaking point, the post office does not verify that your return address is actually correct when it accepts your mail. It just requires that you have one. Of course, in the computer world we're not required to live with that limitation. If SMTP had a facility whereby senders' addresses were verified before mail was accepted, that would be just fine.

Say I have a mail account, "foo@example.com." When I send an email, the conversation starts with MAIL FROM. At that point, the mail server (be it a relay or the destination itself) contacts example.com and asks if "foo@example.com" has an account there. If example.com says yes, the server accepts the message. If it says no, the message is rejected. If the server fails to contact example.com, it says "try again later."

Now, that's not foolproof. It merely guarantees that mail can't be sent unless the return address actually exists; it doesn't promise that the mail being sent is actually from the address it purports to be from. There are ways around that, too. When I send an email, my mail program on my computer starts by contacting example.com via an authenticated connection and telling it that I'm about to send a message with this message digest: blah blah blah. It then contacts whatever upstream mail server I'm using (example.com or otherwise) and says, "MAIL FROM foo@example.com DIGEST blah blah blah" or whatever. The server (if it's not example.com itself) contacts example.com and says, "Did foo@example.com send a message with digest blah blah blah?" Example.com then checks its records and says, "Yup. Sure did." If the mail server is the destination server for the message, it then tells example.com, "Okay, I'm the recipient for this message. Delete your record of this message digest," and accepts the mail.

This system would work far better than the proposed solutions because it would actually verify what we really care about: did the message come from who it purports to come from?

Re:Your analogy is flawed

[jhunsake]

If this is true, which I don't believe it is, then please provide the location of the post office doing this. I will happily report it to the postmaster general for you.

Almost all mail I send doesn't have a return address on it. I haven't had a piece of mail lost in over 15 years, and I send and receive a lot of mail.

Legitimate mail from unknown IPs

[eddy+the+lip]

I love it when slashdot has a story related to a problem I'm having at that very instant. How often does that happen?

Here's the thing: we're moving a site to a new server with it's own shiny IP address. There are many things on this site that send mail. None of these things will successfully get mail through in this circumstance because this IP doesn't have a DNS entry for it until the site goes live on the new server. Reverse lookups point to the current IP, not the shiny new one. Mail rejected as spam. And there's going to be a lag where some will get through and some won't as the DNS propogates.

Now, I can make sure that all the right things are happening, but everyone would feel 100% better if mail could get out to, say, the Chairman of the Board and he could say "ah, I got the test message, all is well." And the lag while the DNS updates is more worrisome.

It's entirely possible I'm missing some obvious way around this (google is my friend today), but this situation can't be uncommon, and I'm sure there are many similar situations in which entirely legitimate mail is being sent from an IP that can't be resolved in a reverse lookup.

Re:Legitimate mail from unknown IPs

[Polo]

I think you just have to make sure the ptr record resolves to SOMETHING, not necessarily the same thing as the A record.

By this I mean:

1) your company is called company.com and sends mail from either your old mailserver 4.5.6.7 or your new mailserver 1.2.3.4

2) your shiny new mailserver's ip address may reverse lookup from 1.2.3.4 to t1-65.gateway4.myisp.com.

Your ISP probably does this for you already.

3) you could have t1-65.gateway4.myisp.com resolve to 1.2.3.4.

I don't even know if 3 matching 2 is necessary.

The IP address of "company.com" doesn't have to be associated with 4.5.6.7 or 1.2.3.4.

However, if your mail server 1.2.3.4 is sending mail to someone, they should be able to reverse lookup 1.2.3.4 and get something.

If they take it one additional step, the something might need to forward lookup to 1.2.3.4.

Re:Legitimate mail from unknown IPs

[Ashurbanipal]

Generally, it's considered desireable to have the DNS functional before getting the rest of the site up and running.

But if you can't get that going for some reason or other, just forward all mail from the new mailserver through the old mailserver.

For example, if you are using sendmail, you set up the new mailserver to use the old one as a "smart hub" and explicitly list the new mailserver's address in the old mailservers access.db as being allowed to relay mail.

I can get more detailed if you want, but only if you use sendmail, because I am an old dinosaur and have never bothered to learn postfix (the only mailer IMnotsoHO that is probably superior).

You can also just play games with MX records... you should always run a local nameserver (accessible from loopback only) on each mailserver anyway, you know - a mailserver pounds the bejabbers out of DNS and consequently should have local DNS caches to reduce network load and mail delivery times.

Re:Legitimate mail from unknown IPs

[eddy+the+lip]

Ah, thanks...we requested number 2 yesterday, which is theoretically take care of. Number 3 may or may not be an issue - guess I'll find out.

Really, I'm just a web guy who knows enough TLAs that people sometimes think I know what I'm talking about. You've given me a good starting point for initiating the conversation, at least. Thanks!

Re:Legitimate mail from unknown IPs

[eddy+the+lip]

Generally, it's considered desireable to have the DNS functional before getting the rest of the site up and running.

Don't I know it! Unfortunately, it's an existing site on a (crappy) host that we're moving to a dedicated server. There's going to be disruptions (lots of data to sync), but as much as possible we're trying to keep it up and available. Also, unfortunately, we don't have access to the config files on the old server, so we can't do fun routing things.

Thanks for the offer of more details, but I've got enough to start on. Fortunately I'm not solely responsible for this. I just need to know enough to talk to the people that are. (MX records may be an option, though).

Thanks!

I agree in theory.

[Deagol]

This topic has sparked much heated debate in the postfix mailing list. Two camps exist. The first is the stop-spam-at-all-costs group, and then there's the you-evil-bastard-that's-not-mandated-by-rfc crowd.

Both have valid points.

I once tried this restriction with my employer's email server (we host a handful of university domains). It was a complete failure. Not because it didn't stop spam (I was finding several thousand spams per day rejected -- a 75% reduction of mail let through!), but because there were so damned many legit domains that didn't play by these common sense rules which you seek to enforce.

The overheard of me fielding complaints from my users was just too much. You'd think that the bloody sender would get the clue that it was a problem at his end (due to the bounce messages provided by postfix), but that just wasn't the case.

So I turned off the rules. I did come up with a compromize (I use postfix, btw). For major domains that should know better, and are in fact configured correctly (aol, hotmail, msn, etc.), I add a line like "earthlink.com reject_unknown_client" in my file pointed to by the check_sender_access line in my main.cf file.

Also, when I receive a piece of spam that gets through, I add the forged From: domain to that list if the connecting client was "unknown". I then add the "reject_unknown_client" restriction to the offending class-C in my check_client_access file in main.cf.

This method catches quite a few (maybe 50%). I use a few free RBLs to catch maybe 45% more spams. That other 5% gets through, but I haven't had a single complaint from my users since beginning this practice. So we're all smiles here now.

If and when I ever run my own email domains (business and personal), I will use all the rules postfix can enforce.

Re:I agree in theory.

[sid+crimson]

Any chance you have details on your efforts posted somewhere? I'd appreciate seeing them. Thanks in advance.

-sid

Not a big problem?

[fsck!]

Spam is a problem, sure. It's not nearly as big a problem as a few people seem to think it is, but it's a problem.

I bet you don't work for an ISP. If you did, you would probably be aware of the incredible financial burden that ISPs have to carry in the wake of junk mass mailings. The bottom line is that the spammers are putting the livelyhoods of Mom & Pop ISPs in serious jeapordy. Adherence to the RFCs seems pretty fair if it means saving jobs.

Speaking pragmaticly, however, I wouldn't block mail ONLY because the PTR record is bunk. Plug this into SpamAssassin and MAYBE you've got a workable solution. Do this for 24 months ot so, and only then starting blocking the suckers with bad PTRs.

Re:Not a big problem?

[PFAK]

Most ISPs really don't block spam, only a few say they do. If they do, I don't know where they do *looks at his Hotmail email box with 400 spams*, and I get an average of 50-90 spam's a day on my ISP's email.

So yeah, I doubt my "large" ISP (services like 4 provinces) runs spam filtering. Well, I know for a fact they don't.

So, if they just filtered the spam, it would save them a ton of bandwidth delivering it to the user.

You're definitely reading the HOWTOs wrong.

[FreeLinux]

It most definitely works. Here's how.

Your server or network sits behind a cable modem so I will assume NAT is being used but, it doesn't matter.

Your server 10.0.0.3 or maybe multiple servers 10.0.0.3, 10.0.0.4, 10.0.0.5 are all NATted to 88.88.88.88, for arguments sake. Therefore you should have DNS records, on your ISP's DNS server, that read like this.

@ IN MX 10 mail.yourdomain.com
mail IN A 88.88.88.88
www IN CANME mail.
ftp IN CNAME mail.

88 IN PTR mail.

Re:You're definitely reading the HOWTOs wrong.

[Ioldanach]

Your server 10.0.0.3 or maybe multiple servers 10.0.0.3, 10.0.0.4, 10.0.0.5 are all NATted to 88.88.88.88, for arguments sake. Therefore you should have DNS records, on your ISP's DNS server, that read like this.

But there's the problem... with a cable modem and standard service, most users can't get the ISP to put records in for their DNS. My PTR is a long simple name ( foo-bar-baz.nycap.rr.com or something ) but my domains are registered with another registry. Anyone looking for my domain gets word from whois to query the registry which then gives them my IP#. Its a cable modem, but the IP# doesn't change more than once a year on average. If they then turn around and ask for the PTR, won't they be asking for it from the ISP which will give them an entirely different name?

Of course, part of my problem here is I'm not sure what the PTR is used for, and does it need to match the name you got there with.

Re:You're definitely reading the HOWTOs wrong.

[schon]

My PTR is a long simple name ( foo-bar-baz.nycap.rr.com or something ) but my domains are registered with another registry.

So why not simply change your HELO to "foo-bar-baz.nycap.rr.com"? (which, technically, it should be anyway, as that would be the canonical name for your IP address.)

Re:You're definitely reading the HOWTOs wrong.

[Tower]

But the mail system sitting behind NAT may have no way of knowing what that is... many of the reverse names are foo-12.xx.yy.zz.nycap.rr.com or something along those lines. If the NAT box gets assigned a new IP, the name changes and the mailer may have no way of getting that information.

Re:You're definitely reading the HOWTOs wrong.

[extra88]

Okay, but you've already got a script which watches for IP changes to update the non-canonical hostname, right? So add a few lines to the script to get the canonical hostname for the new IP, write it into the postfix.conf file (or whatever its called) then kill -HUP postfix. I bet this is even a problem someone else has already solved but there's a good chance that writing your own is easier than finding someone else's.

PTRs should not be required

[0x0d0a]

The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required.

And this is a short-term fix which produces long-term issues. You reduce spam for eighteen months, spammers start just going through PTR-listed servers, and you're back to square one...except now you're using a broken mail system. Or spammers buy a throwaway domain -- they buy throwaway accounts, and a throwaway domain is no more trouble.

I personally run a mail server on my computer, and don't gateway mail it sends. That's the way email was designed to work, and still the way it works best. I think that's pretty legitimate. I get an immediate response when mail delivery fails, can set how long I want resends to be done, and don't have to remember to change my gateway when I move from home to college and back. I have no reason to run out and buy a domain -- I don't have any reason to present a domain to the world.

People requiring PTR records are running broken name servers. Most people that like this mindset -- restrict users for a short term gain -- have in my experience been fairly technically incompetent admins. Block everything except 80 TCP outbound, plop transparent proxies all over, try to convince people to use webmail, block mailservers...they see a short term gain. They aren't engineers, so to them, they've just "solved the problem". Then they wait a year, run into problems (people tunneling everything over 80 or setting up their own VPNs to get reasonable functionality, FTP to a similarly crippled site not working, etc), and try to find a policy-based, rather than a technical, solution. For the rest of the world, they're jerks with a bit of administrative power to abuse. IT people like this are easy to find -- they're the ones that the users resent, the ones that are making tasks more of a pain in the ass for core users, rather than easier.

Just my two cents.

Re:PTRs should not be required

[Harik]

I personally run a mail server on my computer, and don't gateway mail it sends. That's the way email was designed to work, and still the way it works best. I think that's pretty legitimate. I get an immediate response when mail delivery fails, can set how long I want resends to be done, and don't have to remember to change my gateway when I move from home to college and back. I have no reason to run out and buy a domain -- I don't have any reason to present a domain to the world.

With all due respect, you're an idiot.

Requiring a reverse DNS record isn't forcing you to go out and buy a domain, just to bitch at your ISP to give you a valid reverse DNS. It can be in your domain, or in theirs, it just has to exist.

--Dan

Re:PTRs should not be required

[KILNA]

Although I do mostly agree with your lament regarding admins taking the iron-fisted quick-fix approach, I do have to point out an inaccuracy. Email, SMTP specifically, was concocted with relaying mail as an integral *feature*. It was designed so that anyone on the network in the chain from the sender to the recipient (including any sporadically connected hosts) could spool the mail. Many Internet protocols are based on the idea of keeping everythign working by exploiting the benefit that it's all running over a cooperative network. The most significant oversight was the nieve assumption that the network was indeed cooperative. Limiting an SMTP server to relay for systems you trust only became common practise *after* the spammers started exploiting it.

Re:PTRs should not be required

[jakobk]

Suuure, they will give you anything you ask for...

Re:PTRs should not be required

[Electrum]

Requiring a reverse DNS record isn't forcing you to go out and buy a domain, just to bitch at your ISP to give you a valid reverse DNS. It can be in your domain, or in theirs, it just has to exist.

Or it can be same domain used for reverse lookups. You can make the PTR record for 1.2.3.4 this: 4.3.2.1.in-addr.arpa

Setting up postfix to do this?

[i_am_nitrogen]

Do you or anyone know of tutorials on setting up basic rules like this in postfix? I'm using postfix for my personal mail server (hosted on a static IP, but with reverse lookup pointing to the ISP, not my domain), but it's been so long since I set it up I don't remember how the configuration file works. I recall it took forever to read through the standard docs, so I was wondering if there's a refresher tutorial just for setting up DNS-based restrictions like these.

Re:Setting up postfix to do this?

[Deagol]

I don't have the link, but search for the homepage of Ralph Hillendrandt (possible mis-spelling). He's a postfix guru who frequently posts to the postfix list. His homepage is chock full of sample configs.

Also, the sample configs provided in the postfix distribution are a great resource. I haven't found a good definitive list of all postfix parameters and what they do in an easy-to-browse form. For now, we're stuck with trudging through the postfix documentation.

Re:Setting up postfix to do this?

[Deagol]

Man did I munge the name!

It's Ralf Hildebrandt, and his most useful homepage can be found here.

My apologies, Ralf.

Re:Setting up postfix to do this?

[TeddyR]

For mispelling his name, or for posting a link to his page on /. ? :-0

Yes.

[Harik]

Any site sending me mail without reverse DNS gets a temporary failure error message. Further, any claimed 'From' address with a non-resolvable domain (A or MX) such as 'adfgsadgh@asdkabm.com' gets bounced as well.

I've found many ISPs are lazy about adding reverse DNS records. I've also had a hell of a time getting them to delegate the zone to my server when they won't handle it themselves. Still, there's lots and lots of spam that's not showing up. And earthlink, AOL, roadrunner and yahoo! have valid reverse DNS records, so I only get the occasional complaint.

--Dan

Quite

[sharkey]

If you got rid of PTR, that would hang your PL and MRY records out to dry.

Here's an even BETTER idea!

[Ashurbanipal]

Why not just refuse all messages that come from IP addresses that include the number 68?

I have analyzed the vast body of spam (for Bayes purposes) that has come through my mailservers over the last year or so, and I find that a lot of spam is sourced from IP addresses that include this number.

Sometimes it's x.x.68.x, sometimes it's x.n68.x.x, but that evil little 68 just keeps popping up!

According to my numbers, a greater amount of spam comes from IPs containing 68 or 24 than comes from domains with inconsistent PTRs.

So, using your own logic, I should just ban all IPs with 68 in them, and tell people with legitimate Email needs that they will have to find a new ISP.

To paraphrase a previous poster, "The fact that discarding mail from addresses containing the number 68 significantly reduces spam is reason enough that everyone should do so. I too will have to stop using a bunch of numbers I own but, it is worth the effort to stick to this policy. If you have a 68 in your IP, you can't send me mail!"

Note to moderators: Irony is not the same thing as flamebait...

Your answer is definitely wrong.

[Ashurbanipal]

First off, you can't put inverse zone records (PTRs) in the same zone files as A and MX records.

Second, the guy stated he has a cable modem, and thus he has no access to the inverse zone files for his IP. The cable ISP does not *want* him to have his own domain name, so they will *not* delegate any of the inverse namespace (which they own) to him. They want to force all his mail through their unreliable, virus-plagued, incompetently administered mailservers and not allow him to run his own.

I recommend you read Cricket Liu's book "DNS and Bind in a Nutshell" before you start giving people DNS advice.

Re:The answer is "dumbass"

[Harik]

SMTP AUTH, asshat.

Perhaps you don't think spam is a problem. You, however, are wrong. When 80% of my incoming mail was spam, I'm spending 5 TIMES what I should be to deliver legitimate email. With that incredible volume, people's filters were failing and their inboxes were full of horsefucking herbal viagra peddlers. (Now with 95% more teen webcams!)

By saying "fuckoff" to spammers, open relays, open proxies and general idiots, my users can actually USE their email, and the mailserver can get the legit email out in a reasonable amount of time.

By the same token, the USPS is doing it's job by not accepting bombs in the mail. Despite "The mail must go through!" motto, some things don't qualify.

--Dan

You're full of it.

[FreeLinux]

I have no reason to run out and buy a domain -- I don't have any reason to present a domain to the world.

The topic was about PTR records not domain names but, you gleefully offer up that you use your own personal mail system without even a domain name. You are one 1337 h4x0r. Are you using UUCP? Because I can't figure out how you are doing it with SMTP.

I can understand how you can send mail without a domain, although according to RFC 821 and its successor RFC 2821 you are required to enter a valid and resolvable domain at the helo/ehlo. But, the really big question is: How do you then receive email without a gateway or a domain? How do your buds send email to you? Do they enter to: 1337@65.31.97.241?

I'm not aware of ANY MUA or MTA that will accept an IP address in the To: field. If your response is going to be that, you set the Reply to: field to your Yahoo account, then you are the type of person who's mail I am intentionally trying to avoid.

Re:You're full of it.

[leviramsey]

I'm not aware of ANY MUA or MTA that will accept an IP address in the To: field.

Then you're ignorant. Although no MTA will do this by default, it's trivial to make it accept mail addressed to an IP. In the case of my MTA, Postfix, it's a simple matter of setting the mydestination parameter. Postfix will also deliver to user@ip.add.re.ss. The Unix mail command and mutt are both MUA's that will happily allow addressing to user@ip.add.re.ss.

I've found that rather than requiring a reverse DNS lookup on the connecting IP, I get equally effective results by doing an A record lookup and seeing if the IP matches.

Re:You're full of it.

[shadowjk]

Atleast postfix is configurable to accept IP's, however, the correct form for the TO address then becomes user@[xxx.xxx.xxx.xxx]

I very much doubt this works over IPv6, though.

what about the price that the receiver has to pay?

[doug]

While I agree with what you are saying philosophically, I try to keep my feet planted in the real world. Spam generates costs that innocent people have to pay, and any scheme where the victims have to pay for the crimes of the guity is broken. To me that has a higher value than the goal of perfect communication.

Right now I'm in the US and I pay a flat rate for my cable modem, but not too long ago I lived in France and had to pay per-minute charges to the phone company for my dialup. My ISP charged a flat rate, but the French have to pay for all calls, even local ones. This ment that it was money out of my pocket to download and trash spam. That sucks big time, and it is unfair. Part of the implied social contract is that only things of interest should be sent. I understand that there are grey areas, but basically anything that has no chance of interesting me is abusive when it is on my nickel. How would you like to pay for the pleasure of getting telemarkerters? People outside the US often pay for the joy of spam, and that is pure bullshit.

Equally unfair is the companies that have to buy more resorces (bandwidth, storage, etc) to manage the flow of spam. Why should they have to spend a single cent for someone to send spam?

- doug

This for that

[n1k0]

This isn't an all-inclusive list of reasons for people's DNS habits, but in my experience these factors seem to be among the most prominent.

1) DNS management is often delegated to the ISP. If that ISP develops such bad habits as ignoring customers' reverse DNS when making updates to forwards, they have a fleet of Internet users with no reverse DNS.

2) IT personnel often don't have DNS authority for their IP addresses because its not worth the hassle for ISPs to give their customers reverse authority for only a few IPs in a subnet. ISPs have varying degrees of friendliness for managing reverse DNS through customer support personnel or a website. For organizations that update DNS often, sometimes it isn't worth the hassle of dealing with the ISP at all.

3) People are lazy and stupid, and reverse DNS doesn't typically affect our daily lives. Most yahoos barely understand DNS beyond pointing and clicking in the Microsoft DNS Server Console (which, ironically, will automatically update PTRs when you make changes to forwards if you so desire). These would be the same schmucks who list CNAMEs as mail exchangers.

The moral of the story is: The number of legitimate email providers with invalid reverse DNS far outnumbers the number of spammers. This is ample reason to NOT refuse to accept mail that has inconsistent forward and reverse mappings.

Consider your business customers; are they going to care about fighting spam when they can't receive email from contacts at other companies? Are they going to want to hear, 'Well tell the person that's trying to email you to fix their server'? I think not.

It would be much different if you weren't an ISP, but I don't feel that the annoyance presented by spam is sufficient reason to effectively tell your customers that they can no longer receive email from a fair percentage of Internet hosts because there's a small chance that they might be spammers. There are effective ways to fight spam that don't inhibit the users' ability to receive legitimate email.

-Nick

ISPs are mostly the problem.

[Ashurbanipal]

Spam and worms are so commonplace because of the greed and incompetence of the really big ISPs.

I could knock out every nimda and code red on comcast.net in 48 hours using their existing equipment. A little gawk, netcat, and snort and the manual for their switches is all I'd need.

Similarly, the 100+ virii and spam I receive every weekend are mostly coming from AOL. I can detect them with MailScanner and SpamAssassin, using a P-133 computer running linux - I suspect AOL could do it too.

But the big ISPs are the problem. They will NOT cut off a paying customer's access regardless of how obviously the customer is abusing that access - instead, they are tracking down people running private websites and NNTP nodes, because they want to be content providers and they don't like competition.

I get 6-700 worm attacks a week on my cable modem at home - all identified by snort and stopped by iptables. All cable modem addresses are VLANS. The cable company can easily monitor them from a central point, and these are mostly KNOWN, EASILY IDENTIFIED worm spoor.

The big ISPs are the biggest part of the problem because:

#1 - they don't care about quality of service as long as they get their money

#2 - they have regional monopolies

#3 - they refuse to co-ordinate with each other

Solve these problems and the Internet will start working properly again.

Re:ISPs are mostly the problem.

[fsck!]

You're completely correct. The real victims here are the smallish ISPs, where the founder is still the chief tech, and the company has like 20 employees total. That's why I'm a proud cape.com subscriber. Not the cheapest on Cape Cod, but the service is worth it and they're an all open-source shop to boot. I much prefer giving my money to cape.com than Verizon or Earthlink.

RFC1912 - 2.1

[I_redwolf]

You should have a reverse DNS PTR entry for all your mail servers. You don't have to follow the RFC but then you wouldn't be following standard behavior. In this case it's a good standard behavior to follow so I don't see why people don't follow it. My mail servers will not accept mail if there is no reverse DNS entry, if I can't hold the admin of that mailserver responsible for sending me UCE or for any other problems that might cause me time and headache why bother accepting the mail in the first place. One less headache for me.

Re:RFC1912 - 2.1

[Quill_28]

I understand why you do this and completely agree.

I would do they same, but I believe this causes problems for people with only 1 ip address.

Re:RFC1912 - 2.1

[I_redwolf]

That doesn't matter.. even dynamic ip's have ptr records assigned by ISP for whatever block. I didn't say I block mail based on isp just if it doesnt' have a reverse pointer so I don't know what 1 ip address really has to do with it. 1,2,200 it doesn't matter.

Re:RFC1912 - 2.1

[Quill_28]

I am no expert(not even close), but I thought one couldn't create the reverse config file, DNS wasn't designed to do that. I am thinking of a person running a dns server off a cable modem and such.

Thank again, I could be wrong and misunderstood what I read.

Re:RFC1912 - 2.1

[I_redwolf]

Lets say you have your cable modem and you enter and execute the command "host xxx.xxx.xxx.xxx" where the xxx octects are filled with your ip number. What is returned is the PTR to that ip which would be your domain name assigned to that ip, which probably looks something like cablemodemxxx-xxx-xxx-xxx.isp.net.

This record/entry can be changed by your ISP if you request it, so instead of cablemodemxxx-xxx-xxx-xxx.isp.net they could point it to something like machine.yourowndomain.com. There are several ISP's that allow this and several more that don't. The ISP owns the ip's, if you have a static ip you should have no problem requesting this as it's static and never changing and you essentially own it. Dynamic is different as you don't own any of the ips, they are obviously changing (even if yours never changes) and the ISP has one less thing to deal with.

Now a mail server should always have a MX record (Mail Exchange record) when you enter a MX record into your DNS config for whatever (bind,tinydns,etc) that MX record should have a pointer regardless of what you call it. Some people simply don't have this as to evade reverse lookups on their ip's. It doesn't really stop one from looking up where a block of ip's belongs to and starting to investigate from there but it's quite annoying. The only other logical reason that exists it just a poor setup on the DNS administrators part. Alot of people setting up DNS don't take the time to understand what exactly they are doing, they also don't take the time to implement it correctly or understand that an A record and PTR record can't be used interchangeably and that things like a CNAME record should be used sparingly. So just like your ip which is mapped to a machine that has a pointer to cablemodemxxx-xxx-xxx-xxx.isp.net, mail servers should have the same because they are nothing but machines, quick example. If you ran a mail server your reverse would be cablemodemxxx-xxx-xxx-xxx.isp.net. When mail is sent to my mail server my server says ok, lets reverse lookup what machine this is coming from; oh?? you don't have a PTR record?? sorry, I cannot accept mail from you because you're an anonymous machine. If you have a PTR my mail server looks it up and says OK cablemodemxxx-xxx-xxx-xxx.isp.net you are now free to send mail to whatever domains you have access to from here.

I hope this helps. I recommend the Oreilly book DNS and BIND for an understanding of the Domain Name System as well as reading newsgroups, mailing list and anything else you can get your hands on. I don't recommend you use BIND as a DNS server for it's lack of security and bloat. However I do recommend you use an alternative which you should investigate on your own. Personally I use Tinydns which is apart of the DjbDNS package.

Re:The answer is "dumbass"

[Harik]

By saying "fuckoff" to spammers, open relays, open proxies and general idiots...

You're also saying "fuckoff" to anybody who sends email that happens to go through one of the systems that you have painted with that absurdly broad brush.

Correct. I only accept mail from properly configured mailservers. The USPS dosn't pick up letters lying on the hood of my car and deliver them, they only take mail from approved mailboxes.

Obviously, they're part of the problem!

If you don't think spam is a problem, you're one of four things:

1. Too new to have your email harvested.
2. Someone with damm good email filtering.
3. An idiot.
4. A spammer.

Try carrying out a conversation where the person you are talking to is speaking at 1/5th the volume of the used-car salesman with a megaphone. Freedom of speech also means being able to listen to the person you want to and not have him drowned out.

And as problem/solution goes, the thousand odd people I provide email accounts for are quite happy with the improvement of the quality of their service. If you wish to try to tell them how wrong they are, feel free to buy an email list and spam them. They pay me to make sure that your attempts fail.

Yesterday was slow: 66637 connections rejected for being spam. Generally that's about 10-15 emails each (judging from the logs of the ones that did get in) By the same token, there were 15574 emails delivered successfully, quite a few of which were spam that got through the filter.

This means that over 81% of all email traffic going to me was spam. Still not a problem?

--Dan

Re:The answer is "dumbass"

[Harik]

When you say, "I only accept mail from properly configured mailservers," what you're really saying is, "I only accept mail from mailservers that are configured in the way that I want them to be." There's no spec that says that mail servers shouldn't accept and relay mail. There's no spec that says mail servers must be resolveable by reverse DNS.

You're right, I just pulled this right out of my ass as well. Nobody would bother to draft a best-current-practices about spam. And besides, it's only a request for comments, nobody needs to follow it.

These are things that, while they may or may not be wise or even reasonable, you just made up arbitrarily. Which is counter-productive and harmful.

Ye gods. Yes, now following best practices is considered counter-productive and harmful. Are you SURE you're not a spammer or an idiot?

This isn't the wild west. You don't just pick an IP address out of your ass, and twiddle random bits in packets and say "Hi! I'm sending email you must accept it because I'm so COOL!". There's a number of things you have to do, and it's all about being a responsible member of the internet community. As times change, so do the accepted best practices. This is why we don't relay mail for anyone anymore, because it's considered rude to let thugs use your house as a base to rob others.

Oh, blow it out your ass. The whole "if you don't agree with me then you're either stupid or you have an agenda" thing is unbelievably childish. Accept, instead, that I'm simply a guy with a different opinion from yours.

No, you're someone who dosn't even respect his own position enough to commit his name to it. This just stinks of spammers, who hardly ever use their real name. The only reason I'm even replying is that you have some grasp of the english language, which most ACs do not.

Well, two things. First, spam doesn't drown anybody out. All emails get the exact same attention when you read them. And secondly: huh? You have a... unique interpretation of freedom of speech.

Not really. It's the difference between being allowed to talk to yourself in a closet and stand on common ground and tell other people what you believe. If we said "you can say anything you want, as long as nobody can hear you." how free is that? Either way, it's a side issue. The government isn't involved in this (yet).

Dude, why aren't you reading what I write? YES. Spam is a problem. It's just that blocking connections for reasons that are only circumstantially and tangentially related to spam is a WORSE problem. I really don't understand why you're not getting this. It's one thing for you to disagree with me. It's another thing entirely for you to completely misunderstand me. Get it?

I get what you're saying, it's just wrong. See, most spam comes from open relays or proxies. People who run those servers are directly contributing to spam. Why should I accept mail from a willing spammer accomplice? It's not THAT hard to lock down open relays. I've even got a box on my network that has to exist that has no anti-relay capabilities (UGH).... So I divert all inbound 25 traffic through a sendmail box first.

If someone isn't willing to do their part to keep email a viable medium for communications, I'm not willing to listen to them. Is it such a hard concept?

As for valid email from proxies/relays: No email should be coming out of a proxy server, open or otherwise. It's a hardware box, no mail queue, designed to cache webpages. Any email coming out of it is spam, period. For relays: While someone may be using the mailserver for legit mail, trust me. Once the spammers find it that box is so slammed with spam it crashes and takes out any real email that would be going through it.

Re:what about the price that the receiver has to p

[mysticalreaper]

You're amazing. Truly amazing. Your tenacity for not giving up your ideas is phenominal.

Cutting off legitimate mail servers because they lack PTR records is not an acceptable solution...

Tell me why a legitimate mail server can't have a PTR record? There's no reason why someone running a legitimate mail server can't have the PTR record set up correctly. And that's the reason why it's so strange when they don't set it up properly. Why would someone act like a spammer (fail to set up PTR records) when they're not?

A) They're lazy
B) they don't know about PTR records, which means they probably don't know enough to run a mail server
C) They're thickheaded like you and think that when their friends (other friendly mail server admins) ask them nicely to behave civilly (set up PTR records) they're being forced to do something against their will, and they won't have any of that!

You seem to fall into the C) category. And this is your problem: Even though we're giving you good advice, you're ignoring it cause it's not your own.

I sincerely hope you don't run a mail server of any consequence.

Points to consider

[stilwebm]

I run a mail server for several domains, and several dozen users. Here is what I've learned:

First I found that being unable to resolve a PTR record is sometimes not an indication of a lack of a PTR. Depending on what DNS server your mail agent uses to do the reverse lookups, as well as the TTL (time to live) setting of the records, you might find mail gets rejected from legitimate sources. Several clients have had downtime on their DNS servers for their IP space, so PTR records wouldn't resolve. We rejected mail we shouldn't have because their TTLs were short enough that cached records were expired.

We also noticed that many spammers use either improperly configured mail servers, trojaned/hacked dynamic hosts, or temporary accounts (increasingly rare). This accounts for about 95% of spam we receive, and most of it is from hosts with PTRs - cable modems, DSL customers, and mail servers for real users. The other 5% is easily blacklisted.

We found that a more effective solution was to reject mail based on the From sender's domain rather than PTR record. If the domain is unresolvable, it gets rejected. If you run sendmail, making sure that FEATURE(`accept_unresolvable_domains') is commented out is sufficient to do this. This can suffer from the problem with failed lookups as well.

More Importantly.....

[Sevn]

Joe cablemodem user can set up a dns server and
click all the boxes he wants, but still won't
have control over his reverse DNS most of the time.
So clicking the little box will accomplish
absolutely nothing. You have to be authoritative for
your forward and reverse to muck with it. As for
running old versions of bind, I have about as much
respect for a so-called company that can't be
bothered to set their reverse DNS, as I do for one
that can't be bothered to hire a DNS admin smart
enough to keep a current version of BIND, djdns,
etc. up and running. Also, from extensive industry
experience, it's been my observation that most
shops running Microsoft DNS are small, don't set
their reverse correctly, and don't care because
they aren't doing anything that important or
they'd use a better platform. No trolling
intended at all. It's how things pan out when you
have a Microsoft person attempt to manage a
traditional UNIX service.

My solution: The mail toaster

[gregwbrooks]

I know this isn't a debate over various mail servers, but Matt Simerson's qmail-based "mail toaster" just added checks against several a bunch of open-relay blacklists and reverse-DNS lookup against the sender's "From" field as options in the build script.

Together, these have reduced about 90% of the spam my users were receiving.

The toaster (basically qmail with tarpitting, secure remote access and apache/mysql for a webmail component) is secure, free and supported by an active mail list. You might want to give it a look.

IPX over SLIP

[Gothmolly]

Actually, IPX _doesn't_ run over SLIP.

Re:Yes and no. - Think of it this way.

[haruchai]

I live in Canada and, on several occasions over the last few years, I've put the wrong amount of postage on my mail.
The reason was that the postal rate for basic lettermail had gone up, typically by 1 or 2 cents, never more than that.
So, what action did they take? If, as is my habit, my return address was on the letter, they return it to me. If I've not put a return address, it becomes, I imagine, undeliverable.
Now, this cannot be the most economical or customer friendly way to deal with it but that's their policy. The same rules should apply to e-mail - policies are chosen for the greater good and then they must be adhered to. Unfortunately, there will always be someone who is either mildly or severely inconvenienced by the rules. C'est la vie.