Ask Slashdot: Is Reverse DNS a Worthy Standard For Fighting Spam?

drmartin66 makes it to the front page with this question: "Last weekend I installed a new spam filter server for a client, and enabled connection rejection if the sending server did not have a Reverse DNS record. Since then, I have had a number of emails rejected from regulator bodies that do not have a Reverse DNS record, and are refusing to have one created for their email server. What is your opinion of Reverse DNS records? Are they (or should they be) a standard, and required? Or are they useless for spam fighting?"

rDNS

[alphatel]

Like all things spam, marking the message as bad automatically is generally discouraged. If you simply increase the SCL value by some reasonable number, and continue to raise SCL based on other soft violations (like spamhaus, surbl, etc), you will rarely put good senders in the junk email folder, and very frequently be able to reject most spam content.

Re:rDNS

[SmurfButcher+Bob]

Yep, rDNS works really well until your DNS goes tits up, or until MY DNS goes tits up, or until Pakistan accidentally BGPs something that makes you unable to resolve the query... again.

If the email you receive is anecdotal crap, it won't be a big deal. If the email you receive is of merit, then this test makes an unreliable protocol even worse.

Re:rDNS

[mellon]

Yup, I tried this for a while years ago and lost a lot of good mail. Recently when my server on a rack in California died and I couldn't get to it for a couple of weeks, I set up a backup server on my home connection (which is Comcast Business, so they don't filter port 25, but I don't have an rDNS set up). Not a single message I sent was bounced. So I conclude that not only is it the case that this isn't an effective tactic, it's also not a technique that anybody uses, for some reasonable value of "anybody."

Re:rDNS

[DarkOx]

If your DNS goes tits up you are doing it wrong, DNS is teir1 infrastructure it should be AT LEAST as redundant and well protected/maintained as your mail server.

If MY DNS goes tits up don't worry I can't resolve your domain to send you any mail anyway.

If BGP gets hosed up, then DNS servers are no more able to reach each other than anything else, they won't be able to resolve A,AAA, and MX queries any more than they can PTR queries, and our mail servers won't be able to connect with each other even if we could get DNS results.

Doing PTR checks does nothing to reduce reliability.

Re:rDNS

[snugge]

If YOUR DNS goes tits up, maybe you won't be able to recieve mail either. Your problem.
Get a secondary name server in a different physical location.

Re:rDNS

[silas_moeckel]

I soft fail for things like this. The issue will get resolved or it will time out on there end and they will get a note about it. I hard fair for more definite things like multiple RBL listings spammy content etc. In no event do I ever accept a message that does not go into somebody's inbox. Effectively if somebody sends a spammy message they should know within a few minutes that it was not delivered. If it temp fails there mail system may or may not tell them immediately but those are assumed to resolve themselves.

Re:rDNS

[BagOBones]

Agreed, you can't hard fail on it because too many of your clients will have it configured incorrectly.

Re:rDNS

[wmbetts]

Funny you mention comcast, because they do reject mail if it doesn't have proper rdns setup.

Re:rDNS

[SmurfButcher+Bob]

I don't think the actual internet works the way you think it does. However, I have no doubt that your view is perfect for the very simplified myopic universe you live in.

Things like OpenDNS.com should make you shut up, hopefully. If it doesn't, then perhaps the DNS hosting provided by NetSol and Dotster and that ilk, will. And please do not comment on the impact of screwed BGP if you don't comprehend how it affects peering. If you actually insist that a DNS query to god-knows-what server is going to take the exact same route to god-knows-some-MTA on another ASN, you're a moron. If you actually insist that the PTR records are hosted on the same DNS server that MTA uses for resolution, you're an even a bigger moron.

That, or you have not the slightest clue as to what you are talking about. From a reliability standpoint, PTR checks are horrible risk with low value.

Re:rDNS

[SmurfButcher+Bob]

You're dumb enough to host your external domain recs on the same DNS server that's used by your MTA?

Your PTR recs aren't actually hosted by your IAP? You actually host your external domain recs yourself? You don't resolve via OpenDNS or that type of thing? You send AND receive via the same, SINGLE MTA???!

FFS! lmao

Re:rDNS

[tlhIngan]

I set up a backup server on my home connection (which is Comcast Business, so they don't filter port 25, but I don't have an rDNS set up). Not a single message I sent was bounced. So I conclude that not only is it the case that this isn't an effective tactic, it's also not a technique that anybody uses, for some reasonable value of "anybody."

Lots of anti-spam systems DO NOT send bounces anymore. Because it's useless - if it's spam, then it's probably got a forged From: header, so sending a bounce does nothing but annoy the guy who owns the email address and who does not have one single connection to the spam. Sometimes a spammer will forge emails from a domain, flooding the domain owner with bounces (joe-job). This is doubly so if the domain isn't using domainkeys or SPF (adding those things seems to lessen the likelihood of a spammer using the domain).

Instead, most spam is just silently dropped.

Now, your email may have failed the rDNS checks everywhere, but most configurations have it soft-fail, so it'll get passed on as spam tagged but not dropped. The ones that hard-fail, well, they never got your email and may have wondered what happened.

Re:rDNS

[Tri]

While I agree that you shouldn't send a bounce for spam messages after you have accepted it, there's still a nice way of doing this. Simply reject the message before you've accepted delivery. You'll provide useful feedback to false positives and you won't get bounce backs to random addresses.

Re:rDNS

[scdeimos]

Yes but he was sending from Comcast, not the other way around. rDNS tests are applied by receiving servers.

Re:rDNS

[wmbetts]

Yes, what I was getting at was "Not a single message I sent was bounced". Implying rDNS isn't import for delivery of email. However, the ISP he was using to send with will bounce emails if the sender doesn't have valid rDNS setup. So it is important for delivery.

Some other servers that will bounce for invalid rDNS Yahoo and AOL.

Re:rDNS

[Coren22]

So than, why did you indicate in the post he was replying to that BGP errors in Pakistan would take out DNS somehow if you already know it wouldn't necessarily take out DNS?

Re:rDNS

[SmurfButcher+Bob]

Because it might impact his ability to resolve a specific query, while having ZERO impact on me, or the DNS service itself, whatsoever.

Respectfully - if you don't understand how peering works... take this as an opportunity to look it up and understand what I just said.

Re:rDNS

rDNS is too black and white. There are too many ISPs that wont let you at the PTR record for your IP. And, yeah, using it as a spam sign is probably the way to go.

But if you do have a high proportion of spam to legit mail, and server performance is suffering, consider trying out greylist milter. Set it up to greylist for say a minute or two and autowhitelist for 14 days ie, first message every two weeks from a legit email address will be delayed, but not for long.

It seems enough spam bots don't obey 'server busy - try again soon' messages to make it worth the short delay for us.

They are not completely useless, just mostly so

Yes, it may cut down on the "infected" PC spam that hits a mail server, but all it will do is drive that traffic to the numerous spam farms that are opening operating on ISPs

Re:They are not completely useless, just mostly so

[Cramer]

Translation: it is almost completely useless. Such a policy is far more likely to drop non-spam as actual spam. Spammers rarely have any difficulty finding and/or setting up hosts with working PTRs. People running real mail servers may have a hard time getting PTRs set correctly. (Yes, there are asshats who not only require a PTR, but require it to be a certain format!)

Absolutely required.

[jonpublic]

Yes. Absolutely. It works.

Re:Absolutely required.

In a few minutes, any chucklehead with a credit card number can spin off some cloud instances from any one of several providers and - surprise - set the reverse DNS records to anything they desire.

Re:Absolutely required.

[mpb]

Absolutely agree. Simple and efficient way to block one spam injection method.

Re:Absolutely required.

[muon-catalyzed]

> Yes. Absolutely. It works.
No it doesn't. You lose/drop about half of emails. The problem is that not always email and web server match. For example if you are using a cloud hoster for email, then your email sender's IP will resolve to the cloud server instead of your own domain server (@yourdomain.com) and RDNS check will then reject your email.

Re:Absolutely required.

[SaDan]

Agreed.

Re:Absolutely required.

[omnichad]

That's not how the reverse DNS check works. When your SMTP server connects to another computer, it announces itself with a HELO. That HELO should resolve to that server's IP address. The reverse DNS of that IP address should be the same DNS name given in the HELO. This has nothing to do with using a different outgoing vs. incoming server or anything in your SPF records.

Re:Absolutely required.

uh. negative.

i'm not sure what you are describing, but the way it work is this:

incoming connection says ehlo "my name is fleaflicker.bigbonus.tld"

my postfix server would note that the connection is coming from 10.10.205.71

It does a check for the ptr record of 10.10.205.71

IF YOU REREAD THE SUMMARY, he's just looking for a ptr record, ANY ptr record. You'd be surprised how many have no record at all. This is what we're looking for, and dropping.

When you do get a ptr record, who cares if it doesn't MATCH, 99% of them don't match.

dropping connection attempts because they don't match is stupid.

what you can do, is besides dropping attempts with null ptr records is to check those that do have a ptr for words like "pool", "dsl", "loop", "static", "dhcp", "dynamic" etc etc etc, and decide what you want to do based on those terms...

Re:Absolutely required.

Wrong. The owner of the IP address, usually the ISP, is authoritative for the reverse zone. It can't be arbitrarily manipulated without gaining authority over the zone anymore than a forward zone could be manipulated.

Re:Absolutely required.

[Archangel+Michael]

Reverse DNS simply identifies poorly or misconfigured EMAIL servers and DNS entries. Even if legitimate servers, it indicates a level of administration that is simply lazy. It takes five minutes to configure the HELO and DNS records to be the same if you know what you're doing.

So, if you can't be bothered with PROPER server administration, please don't blame me for rejecting your email coming from your domain. I don't trust you or the job you're doing, as you've announced you are either too lazy or incompetent to do your job right.

It works, just not the way you wish it works. HELO = DNS or you don't get to send me email.

Re:Absolutely required.

[Cajun+Hell]

They can can, but do they?

They can write you a personal letter about how your job at Foocorp is stressing you out and not only leaving you with less energy at the end of the day, but that the stupid meeting Johnson scheduled for Monday morning has you discouraged and feeling down all weekend, and that this is why you can't get it up, so you might want to at least stop taking everything so seriously, and most importantly, quit worrying about things that are beyond your control and you'll find your sex life has improved. But what they do is send you a misspelling-filled ad for Viagra.

Re:Absolutely required.

[nabsltd]

The owner of the IP address, usually the ISP, is authoritative for the reverse zone. It can't be arbitrarily manipulated without gaining authority over the zone anymore than a forward zone could be manipulated.

So, what you're saying is that because so many ISPs provide some sort of default reverse DNS (host132.newyork.example.com), then choosing to reject e-mail based on the lack of a PTR record will not only lose legitimate e-mail if the ISP doesn't create a default, but also only rarely block spam.

Re:Absolutely required.

But your cloud or VPS provider will give you the ability to modify the RDNS of the IP(s) you're leasing from them. They don't necessarily check the validity of what you're assigning it to.

Re:Absolutely required.

[lgarner]

Right. If you verify that the domain name matches, you'll block a whole lot of email from anything that's on a shared host, since the rDNS will be for the hosting provider's domain. On the other hand, just checking for a record is pointless. My home broadband has a rDNS record.

Re:Absolutely required.

[nabsltd]

It takes five minutes to configure the HELO and DNS records to be the same if you know what you're doing. It works, just not the way you wish it works. HELO = DNS or you don't get to send me email.

This violates the RFC. The only check you can do is for the correct HELO syntax.

The argument to HELO is supposed to be an FDQN (although an IP-address literal is also valid, but a bare IP address is not). It does not have to resolve, nor does any PTR record have to return that same FQDN.

Luckily, you're not doing much harm. I ran my mail servers for over a year checking (logged only) for both whether the HELO resolved at all, and if it matched the PTR lookup from the connecting IP. Since I reject for bad HELO syntax, it turns out that the other checks on the HELO argument would reject less than 1% of remaining connections. Greylisting deals with everything that would have been rejected by HELO argument checks, plus a lot more, so that's what I stick with.

Re:Absolutely required.

[LordThyGod]

Total nonsense. I've done it for years, and the very high majority of the mail rejected is junk. The ones that aren't are mis-configured. Also, cloud servers can certainly have rDNS configured. At least the ones I've dealt with. But sending mail directly from cloud servers like amazon and rackspace is bad for other reasons unrelated to DNS. What the reverse DNS check does (at least on Postfix) is check that there *is* reverse DNS, and then reverses that back to the original ip. If either tests fail, its rejected. It does not have to resolve to any particular domain, it just has to resolve.

Re:Absolutely required.

[Amouth]

right but if your trying to spoof a legit domain then you can't make your rDNS IP & client DNS name and address line up. sure the spammer can just use their own domain normally and it will line up - but for anything above normal spam you wouldn't be able to spoof another domain. the big issue with using rDNS is it screws over shared hosts - and the easy solution to that makes it useless for blocking spam

Re:Absolutely required.

I didn't really speak to that. I just wanted to correct the commenter that claimed that all one need do is sign up to a virtual host to somehow magically hijack someone else's reverse DNS zone. It wouldn't be that simple. One would either need to trick the authority responsible for delegating the zone or hack a server in the chain of authority.

The reason many mail servers require matching forward and reverse DNS is because it provides a level of assurance that your ISP is aware of and approves of your providing an outside service to the Internet -- in this case a mail server. It's not a guarantee that spam won't come from your server, but gives your server an added level of credibility.

Re:Absolutely required.

Sure, and just the same, it is trivial to spoof email as if it's coming from any domain. What can't be spoofed, without social engineering or hacking, is a matching forward and reverse DNS record for the mail server. If one changes their reverse DNS to match that of the forward DNS for the domain that they are looking to spoof, once a forward lookup for the host is performed, the legitimate IP address will be returned, exposing the spoof.

Re:Absolutely required.

[Archangel+Michael]

RFC doesn't require it, I do. The RFC allows open relays too, doesn't mean it is good practice. I would not consider an open relay to be a properly configured server, would you?

Re:Absolutely required.

[Cramer]

For some services, it's a matter of going to your customer control panel. Others, it takes a single email. And then for others, you have to show up in person with a hammer and do it yourself since their staff are complete morons. (cheap comes at a price.) Spammers will generally avoid the latter because they have better things to do with their time.

Re:Absolutely required.

[Cramer]

In a perfect world, it's a simple process of asking the ISP to change the record. HOWEVER, this is not a perfect world. In over 20 years, the only time I've gotten PTRs updated simply and quickly was when I could vi the zone file myself.

Re:Absolutely required.

Yeah, it even works against legitimate email. That's the problem.

Re:Absolutely required.

[nabsltd]

RFC doesn't require it, I do.

No, the SMTP RFC does not permit rejection based on the argument to HELO unless it is syntactically incorrect.

Probably useless

[Anrego]

In all but the most closed groups, having a system that generates lots of false positives is in most cases going to be a bad move in my opinion.

Re:Probably useless

[donrich39]

Mostly useless because the NSGA (National Spam Growers Association) spends untold millions of $'s lobbying congress to not pass any laws requiring revers DNS.

Re:Probably useless

And definitely aggravating. My otherwise excellent ISP has been doing this for years, and it's a pain in the butt because it can block all correspondence with certain domains -- including one old friend I was working with on a book. Worse, you have no indication when this might happen until the victim calls you and says "your ISP is bouncing all my mail." Ironclad rejection rules are VERY bad.

Better Question...

[RedACE7500]

What reason would anyone have to be running an SMTP server without a PTR record?

Re:Better Question...

[alfredos]

Incompetence.

Re:Better Question...

Because many small business have no control over DNS. Try calling the Mumbai office of ATT and getting them to even understand what you are talking about. I have seen some SMTP server reject mail if the PTR does not exactly match the name of the server.

Re:Better Question...

Remember, the majority of legitimate systems are not run by professionals. They are run by someone who had some IT related training somewhere and was made the mail administrator because they could kind of sort of make it work. Spammers on the other hand tend to have more detailed technical knowledge. This isn't a good thing, but it is the way things are and will continue to be so as long as companies continue to try and get things done with fewer resources than they really would like to have. And don't worry, it isn't anything against techies, the majority of the people doing marketing don't have a good education in marketing either, and the majority of sales people learned on the job from another non-trained sales person, and and and... So we can whine about how people ought to do things all we want, but the reality of it is that it is more important to figure out how to make it work for and with those who are barely able to get and keep their system running.

Re:Better Question...

[RedACE7500]

Both ACs below seem to agree.

Re:Better Question...

[Entrope]

A lot of small organizations have ISPs (or just service plans) that will not let them choose RDNS records. They would have to outsource their mail services to send outbound mail through a computer with a valid RDNS record.

Re:Better Question...

[Enry]

Maybe they're hosting multiple e-mail domains from the same site? (I do).

Re:Better Question...

[RedACE7500]

You don't have to choose the record. The ISP just has to ensure that the PTR for an IP resolves to a name, and the A for that name resolves to the original IP. The name can be completely up to them and doesn't even need to reflect the domain for which you're sending mail. However it should avoid using a name that makes it appear to be a dynamic IP, which some receivers may penalize you for.

Re:Better Question...

[imemyself]

Reverse DNS doesn't have to match the domain that they are sending mail from. It should just match the name that the mail server is presenting when it does a HELO. There should also be an A record out there for that hostname pointing to the IP.

Re:Better Question...

[Qzukk]

I've got a PTR record for mine, but my DNS server isn't authoritative for the colo's netblock, so nobody will ever ask for it.

Re:Better Question...

[Entrope]

In practice, that doesn't help much. Before switching to my current Internet connection, I had business-class cable modem service because that was required to get a static IP address from that ISP. My IP address had a PTR record with a non-resolving hostname (which looked a fair bit like a dynamic address, in spite of being static). When I tried to call the ISP about it, I got a bunch of confused tech support people who could never figure out who could fix the PTR.

Re:Better Question...

[afidel]

We significantly increase the spam score for no reverse DNS, if a business partner has incapable IT we just whitelist their domain. This works for fighting the 99.99% of messages from hosts without a proper rDNS while allowing us to make exceptions for legitimate traffic which is in general the best way to approach spam fighting.

Re:Better Question...

[RedACE7500]

You gave an example of a broken setup to demonstrate how a working setup doesn't help much?

Re:Better Question...

[snsh]

Those same ISP's which do not support rDNS for customers typically host a well-configured SMTP server which customers can use as a smarthost. So, you configure your SMTP server to relay mail through your ISP's SMTP server.

This solves the rDNS problem.

Re:Better Question...

[Entrope]

No, I gave an example of a broken setup to demonstrate that a lot of small organizations (who still pay for business-class service that should work properly) cannot always get valid reverse DNS records for their mail servers. Clear enough now?

Re:Better Question...

[Entrope]

Cite for "typically", please? Mine did not.

Re:Better Question...

[Anon-Admin]

I hate to say it but you have way too high of an expectation of ISP's

I have a static address on a business account via a major ISP. I have a Domain name and have DNS. My DNS resolves to www.mycompany.com but the ISP has the PTR set to 111.222.333.444.static.ISPDOMAIN.COM

They will not change it no matter what I ask and E-mail from my domain through my e-mail server is rejected because the PTR does not match the A record. It has gotten so bad that I had to pay for a mail relay host to push my mail through. To me, this is a risk because they (The relay) could intercept, monitor, or filter the private e-mail between me and my customers which would directly effect my business.

So, personally I say it is a bad idea!

Re:Better Question...

[tibit]

Reverse DNS costs good money: you need an IP delegation, typically. Many ISPs will charge you extra on top of what IANA or wtfever charges for that. It's hard to justify, for a small business, spending $1.5k+ on something that will prevent maybe 5 outbound emails a month from being misclassified...

Re:Better Question...

[omnichad]

You don't need IP delegation. Most ISP's offering business class Internet will just set the reverse DNS records up for you on your static IP address. Yes, you have to get in touch with their support, and yes, you have to get a rep that knows what you're talking about - but there's typically not even an extra charge.

Re:Better Question...

[Megane]

The reason is because the PTR record basically depends on the provider of the IP address space, and their cluefulness and willingness to maintain PTR records. You either have to have them add your PTR record to their authoritative in-addr.arpa DNS server, or get them to assign authority to your own DNS server. The latter is (AFAIK) difficult because you can't do binary masks on decimal numbers in zone files, so if you have a zone that isn't a /24 (or /16), your ISP has to about the same amount of work as if they were doing it for you. And some providers are too clueless to set up PTR records at all, period.

In my case, I run a web server, e-mail, and authoritative DNS from my fixed-IP DSL at home. (I do have PTR records, but nobody would know to use my DNS server for in-addr.arpa.) Because I understand this and other problems, I have my mail server send outbound mail up to my ISP's outbound mail server. And then I send outbound mail from my laptop to the ISP's server anyhow, because the ISP supports a username/password, so I can still send mail when not at home without setting up my server as an open relay or setting it up for authentication (or having to change my e-mail client configuration). In extreme cases, I can SSH tunnel to my home system and send mail out that way, but I haven't done that in a long time.

So it requires a combination of an IP provider who is either clueless ("regulator bodies"? Government is a fine source of cluelessness), unwilling, or too much trouble to work with, plus the sender not having (or more likely not knowing to use) an upstream e-mail server.

Re:Better Question...

[mellon]

Lack of access to the reverse DNS tree, or else running multiple domains on the same server. Reverse DNS is not guaranteed to be correct, and is not useful for filtering spam; its highest use is in troubleshooting, because a human being is using it, and can evaluate how meaningful the data there is.

Re:Better Question...

[Just+Some+Guy]

Reverse DNS doesn't have to match the domain that they are sending mail from. It should just match the name that the mail server is presenting when it does a HELO.

Absolutely. In fact, it's extremely rare for the mailserver to have the same name as the mail it's sending. For example, I got an inbound connection from mail-yw0-f63.google.com to deliver a message from somelist@googlegroups.com.

Re:Better Question...

...and creates a SPF problem.

Re:Better Question...

No.
Don't pay for junk.

Re:Better Question...

[laffer1]

I think ISPs do this on purpose to make people pay more. I have the same problem with Comcast. I have business class cable for hosting my websites and they only allow you to change the PTR record if you buy hosting through them too.

They used to allow me to relay through a mail server, but took that away earlier this year. I have static IPs and they know I'm doing this. It's in the contract. In fact, I had a few questions from them because of the anonymous FTP server used for ISOs and all the IPv6 tunnel traffic. (they won't do IPv6 either)

People who say that it should be required don't realize that many people don't have control of their setups. Further, I can't buy an account at godaddy or something. They don't do anonymous FTP and certainly don't want 40GB of ISOs, source and packages uploaded. I tried the dedicated server route, but few companies will install my operating system on the server. It's also an open source project. I've had a few hardware donations and sold a few t-shirts, but this is funded by myself and my wife.

It's reasonable to give a strike in spam assassin toward an email setup like this, but a flat out blacklisting is silly. I'm not even sure it's as effective. The assumption before is that spam came from dial-up, DSL and cable systems due to viruses and botnets. I don't think that's stopped, but many botnet's own servers now and send from systems with valid PTR records.

The best way to stop spam is to take down the botnets. Anything else is just a futile attempt to slow it down a little.

Re:Better Question...

E-mail from my domain through my e-mail server is rejected because the PTR does not match the A record

These servers are misconfigured, the requirement shold be that is there's a PTR and a corresponding A record pointing to the IP -- not that there's any correlation to HELO or sender domain. Any small business ISP that doesn't configure there addresses like that is totally fucking clueless too.

Email postmasters and hostmasters and _tell_ them to fix their shit. If the postmaster address is rejected, go list them on RFC ignorant. The end!

Re:Better Question...

[afidel]

Exactly, I've never in 18 years paid to have rDNS setup.

Re:Better Question...

[datavirtue]

Yes, and being a competent professional in the midst of this environment is very frustrating. When you are surrounded by meiocrity you begin to accept and rationalize the sorry state of these situations. Wishing you could be around people like yourself. Each IT shop has an average of one truly competent, knowledgeable, and interested person.

Re:Better Question...

[datavirtue]

Have you tried an open source host like Oregon State University?

Re:Better Question...

[smelch]

Maybe they will set their shit up properly if they have to.

Re:Better Question...

[mattventura]

Comcast does and I figure many other ISPs do it, especially since a lot of mail servers block mail from residential IP. If you run a mail server on a connection like that, a smarthost is a must.

Re:Better Question...

he gave an example of a broken setup that illustrates that the broken setup is the typical one and the working setup the atypical.

Re:Better Question...

[EdIII]

It's a great, effective idea.... if you used it properly.

As I am sure others have pointed out it is most effectively used, with as few false positives/negatives as possible, if only used in a scoring system.

If I get an email from you, the lack of a record adds about 20% I think to the SPAM threshold. If the rest of your email is fairly normal and contains nothing flagged from anything like Spamhaus, your email gets through without rejection.

Automatically rejecting the connection and giving a 5xx error when the records don't match can block legitimate email from people like you that don't have the ability to do so, or people that are so inept, they don't even know what you are talking about.

I learned that fairly quick, which is why I just add it to a scoring system now instead of outright blocking.

So the better question is how to use rDNS and PTR records properly in a mail server, not whether they should be used at all.

Re:Better Question...

[arth1]

I can think of a few:
E-mail alerts from embedded systems
Home e-mail servers where the provider won't let you have a static IP or fixed PTR
Servers on true IPv6, when the inside name isn't visible on the outside.

Re:Better Question...

[nabsltd]

The latter is (AFAIK) difficult because you can't do binary masks on decimal numbers in zone files, so if you have a zone that isn't a /24 (or /16), your ISP has to about the same amount of work as if they were doing it for you.

Recent BIND implementations support zone delegation for PTR records on classless routes (i.e., on any number of bits, not just on octet boundaries). Google for "DNS PTR delegation" for some references.

Re:Better Question...

An ISP that allows servers but doesn't provide rdns services?

Re:Better Question...

[geekmansworld]

I've never had any problem getting ISPs to set up PTR records for our static IP addresses on their networks. Checking for a PTR is definitely an essential part of my spam-fighting configuration.

Re:Better Question...

[lewiscr]

Correct, the PTR and A's need to be eventually consistent, but not initially consistent. If this is the case, they can't receive email from any Google Apps user.

$ dig -t mx mydomain.com
;; ANSWER SECTION:
storemadeeasy.com. 1800 IN MX 5 alt1.aspmx.l.google.com.
storemadeeasy.com. 1800 IN MX 5 alt2.aspmx.l.google.com.
storemadeeasy.com. 1800 IN MX 10 aspmx2.googlemail.com.
storemadeeasy.com. 1800 IN MX 10 aspmx3.googlemail.com.
storemadeeasy.com. 1800 IN MX 10 aspmx4.googlemail.com.
storemadeeasy.com. 1800 IN MX 10 aspmx5.googlemail.com.
storemadeeasy.com. 1800 IN MX 1 aspmx.l.google.com.

$ host aspmx.l.google.com
aspmx.l.google.com has address 74.125.127.27

$ host 74.125.127.27
27.127.125.74.in-addr.arpa domain name pointer pz-in-f27.1e100.net.

$ host pz-in-f27.1e100.net.
pz-in-f27.1e100.net has address 74.125.127.27

This is normal, even when you actually host the mail yourself and own the netblock. Most of my MX records point at a CNAME, and the PTR record resolves to the A record.

Re:Better Question...

[lewiscr]

If you can configure your mailhost to relay, we expect you to be able to configure your SPF record.

Re:Better Question...

[zorak_94945]

Just to be clear, you mean your ISP publishes a reverse DNS entry mapping 111.222.333.444 to 111.222.333.444.static.ISPDOMAIN.COM but lacks a forward A record resolving 111.222.333.444.static.ISPDOMAIN.COM to 111.222.333.444? (It shouldn't matter that 111.222.333.444 doesn't resolve to www.mycompany.com; anyone doing PTR/A matching should do a PTR lookup on the IP address first, then an A lookup on whatever the PTR lookup returned to make sure *those* match)

Re:Better Question...

Is useless, and in most countries, not cheap. (they can bill up to 3x (YMMV) when asking to enable RDNS).
There's better ways to fight spam, but RDNS is not one of them.

Re:Better Question...

[SmurfButcher+Bob]

Because they have several of them behind several NATs, with no clue as to which NAT they'll be using this instant?

Not all "SMTP Servers" are Exchange or Postfix... some are nice UPS boxes, others are embedded rack management cards...

Re:Better Question...

Seconded. I can confirm that I've seen a major ISP do this as well. I talked to one of them this morning, actually. My client (a municipality) is using the ISP's mailserver as a smarthost becuase the ISP is unwilling to provide a correct PTR.

Other servers were rejecting some mail because of the relay. Easily solved with Sender Policy Framework, right? When I called the ISP's networking suport to publish an appropriate SPF record in the DNS they control, the ISP nameserver support claimed they had never heard of SPF records. [headdesk]

Re:Better Question...

[tibit]

If you're happy with reverse DNS that looks like foo-123-54-32.bar.baz.net, and that has nothing to do with the domain the email purportedly comes from... That reverse DNS is of course pretty standard, but it doesn't solve the entire issue. There are mail hosts that will belch if the machine the SMTP connection comes from is not on the list of MXs for the sender's domain or if the MXs for the sender's domain aren't in sender's domain (sad but true). Thus putting foo-123-54-32.bar.baz.net as your MX may solve half the problem only -- there's a reverse DNS, but it's not what it "should" be. And if you cheat, and set say mail1.mydomain.net IN A 11.32.54.123, then of course rDNS doesn't point to your domain and that's it. Yes, there are asses out there that demand that if you send email, all of the infrastructure should be delegated to you and noone else. We decided they weren't an important enough customer and ignored them...

Re:Better Question...

[omnichad]

That's INCORRECT configuration. Postini users have completely different MX records than sending SMTP servers. Postini has a fairly large customer base. I'm not even sure if Gmail's sending IP's are in their MX.

Re:Better Question...

[e9th]

Most of my MX records point at a CNAME,

Doesn't that ever cause you problems? MX records must not point to a CNAME RR.

Re:Better Question...

It's unfortunate you've had that experience. I've personally _never_ encountered a server that required the PTR to match the A record, although statistically speaking it's likely that some server, somewhere, requires this -- given the very large number of SMTP servers out there.

It's conceivable that the server you were trying to communicate with was penalizing you for something else about the PTR, A record, IP address, or something else entirely. For example, the A record not resolving to your IP will often prevent mail delivery, as it should. The server could have been looking at the IP address in the PTR and taking that as evidence that your server was sketchy, without boosting the score based on the static portion of the name. Or the server might have been predisposed by reputation to suspect that portion of your ISP's network wasn't a very likely to host legit servers. Or perhaps the HELO/EHLO name your SMTP server was using didn't resolve to your IP address.

It's a little hard to understand what the problem was, because as written, "E-mail from my domain through my e-mail server is rejected," makes it sound like your own server is rejecting your own mail. Maybe you could clarify? If you could name names (ISP name, A record, PTR record, IP address, server's HELO/EHLO name) and identify more clearly where mail was originating, which servers were handling it, the ISP, and the text of any errors or rejection notices, it would be a lot easier to understand the problem.

In my experience, this kind of issue is primarily encountered by people relatively unfamiliar with SMTP trying to configure their own servers and not quite getting it right.

It's also worth noting that the networks over which you're sending your email can see and proxy your messages whether or not you're explicitly relaying through the provider's servers, someone else's servers, or your own -- but frankly, most don't care to the extent that you're not getting their IP space listed as a likely spam source on reputation management systems. As you're aware, if you have anything really private you should be encrypting it.

Re:Better Question...

What is the problem here? Aesthetics?

Just do it right and use:
IN MX 10 111.222.333.444.static.ISPDOMAIN.COM.

The name of your mx is what your ip resolves to.

Re:Better Question...

As others have noted, the test is the presence of a PTR for that IP, not that the PTR matches a domain name explicitly utilized by the server (HELO name, etc.). I've never encountered anyone testing for the latter. The server's HELO/EHLO name must also resolve to the server's IP, and the name returned by the PTR should itself resolve to the server's IP. None of this has any effect at all on hosting multiple domains on the same server. Furthermore, even the HELO name of the server is scarcely relevant to hosting multiple domains, so long as the name exists in the DNS and resolves to the server's IP.

The PTR is not used for spam filtering beyond noting that the absence of such is very good indication that a server should not be sending mail. Any legitimate hosting arrangement or ISP offering business services that tolerate SMTP servers will be able to accommodate a well formed PTR record.

Re:Better Question...

No, it should just be correct. It does NOT have to match EHLO or HELO, it does not even "should" match.

EHLO and HELO are for loop breaking. You may need to have more than one on the same MTA on multi-queue setups where the MTA sends email back to itself, probably through a content filter. All you can ask of EHLO and HELO is that they have a fqdn, it is not even a good idea to want that fqdn to *resolve* since it is often on private DNS space.

Re:Better Question...

Configure your mail server to ignore your own domain name and use the PTR name when greeting the other side. That worked fine for me a couple of years back. Setting your static IP in a SPF record for your domain probably will make every legitimate message you send through being accepted.

Re:Better Question...

[Cramer]

And their smarthost service is run about as poorly as their rDNS service. The key problems with this... it can introduce a great deal of delay (i.e. overloaded smarthost); your spam score will be at the mercy of everyone else using that relay; and when that relay gets blacklisted because of one of those other customers, you're instantly blacklisted as well.

Re:Better Question...

[tibit]

Yeah, but it can't be fixed on our end :(

Re:Better Question...

Put your server on AWS and you won't have that problem. If your ISP won't give you the service you desire, take your dollars elsewhere.

Re:Better Question...

[Compaqt]

The funny thing is, even $5 VPS boxes allow you to set rDNS, the way most VPS providers have them set up with a SolusVM web-based control panel. You can change the rDNS every minute if you want.

More expensive VPS's (like Rackspace) allow that, too, though apparently Amazon does not.

Re:Better Question...

[lewiscr]

You make a good point. Either my DNS admin/software have silently corrected my mistake, or I'm mis-remembering. I generally make every user-friendly DNS record a CNAME to a non-user-friendly A. It's possible that I've broadened that memory to include MX records. The brain is so fickle.

Regardless, most of my MX's IP's PTRs are not-equal to the original MX record. They do eventually resolved to an A and PTR that are consistent.

Re:Better Question...

You don't have to choose the record. The ISP just has to ensure that the PTR for an IP resolves to a name, and the A for that name resolves to the original IP. The name can be completely up to them and doesn't even need to reflect the domain for which you're sending mail. However it should avoid using a name that makes it appear to be a dynamic IP, which some receivers may penalize you for.

Sorry but your wrong. The PTR record MUST match the A record of the sending machine for an MTA to accept mail. Names don't match you get rejected. If you have an ISP that doesn't support PTR records then change ISPs. We set these up all the time for our customers and our mail servers do a reverse lookup and if you don't have a PTR record your mail gets rejected.

Re:Better Question...

You should make your SMTP server use EHLO with the real name, 111.222.333.444.static.ISPDOMAIN.COM ...

Re:Better Question...

[alfredos]

They chose to simply moderate +1 instead, while two suspected PTR-less postmaster wannabes moderated -1 Troll. Oh well, such are the Slashdot ways.

Re:Better Question...

Sue the ISP for not setting the PTR records. Its cheaper for them to do the right thing than fight lawsuits.

Re:Better Question...

[laffer1]

I have not looked into that. I do have mirrors for the FTP server (using rsync) at the ISC, etc.

Re:Better Question...

[laffer1]

Great, where is this $5 VPS service that can handle 50GB of data + the OS, allows me to install my own operating system, and has rdns? Did I mention I need a ridiculous amount of transfer. Most cheap VPS solutions are running on linux. They're not a full virtual machine so you can't run another OS on them. Hosting my BSD project on Linux is kind of messed up.

I have very odd hosting requirements. The only solution I could do is to colo a server somewhere. A cheap place is $50 per server. That's $100 a month. My cable package is around $75. I'd pay at least $50 for cable anyway.

Good idea, but too much trouble in the real world

We (~10K users, ~1.5M incoming emails a month) used to do this, but there was a constant stream of complaints from users due to email bouncing from organisations that refused to set up the records. It got worse every year too. So we gave up and went for a commercial software solution for a while, and eventually outsourced our mailfiltering completely to a hosted solution. I would NEVER do filtering in-house again, unless for a very small number of technically literate users.

Bob.

Spammers can choose to use reverse DNS

Spammers can choose to use reverse DNS, many of the people you really want email from can't. All reverse DNS does is create more frustration for legitimate users.

Re:Spammers can choose to use reverse DNS

[omnichad]

They can only use reverse DNS for IP's they own if they're using their own mail servers.

Link fixed...

Reverse DNS record

Indicative only

[Some+Bitch]

As with most spam fighting metrics it's up to you. Mail from a server without reverse DNS that doesn't trigger any of your other flags generally shouldn't be treated as spam if you care about false positives, if it's borderline then maybe the lack of reverse DNS will be enough to justify tagging it as spam. The decision of how heavily to weight the lack of reverse DNS is yours, personally I don't give it much weight but it does add a little to the score. Some people go hardcore and reject anything that doesn't have come from a machine with reverse DNS, they accept the significant false positive rate usually for idealogical reasons (while I like a properly configured system I'm not going to bite my nose off to spite my face).

Useless

Since an ip can map to multiple domains

Re:Useless

I'd like to officially nominate this for the dumbest Slashdot comment of the day. I know it's a very tough competition, but the perfect combination of arrogance and absolute cluelessness while using only a few simple words really showed that this particular AC has truly risen above the rest of the field.

MULTIPLE SCORING

[buanzo]

Use multiple checks. Use scoring, and a threshold. voila.

It is just a part

[51M02]

I've set up a few mail relay and spam filtering server and I can tell you it helps a lot to reduce the number of spam arriving to them.

I am a Postfix kind of admin (hell with sendmail!) and I know you can set some filter just before the reverse DNS check to accept the connection if it comes from a particular host/IP address, bypassing the reverse DNS check. Or you could add that reverse DNS to your local/client DNS server but it seems not that a good solution.

Anyway following standards is always the best solution.

Useful

[discordia666]

If your email server does not have rDNS records then it's very likely half your mail is not getting delivered. aol.com, gmail, hotmail, etc all require rDNS.

Blocking on invalid rDNS, invalid or missing A records and not following proper smtp protocol is helpful on a email gateway. However, if you are a relay for clients you'll have problems.

Re:Useful

And nearly all SMTP servers are in fact relays for clients. So there's the rub: if your server includes the client IP in the received from path, rDNS will screw you if it is a pure binary decision. If it's part of a bayesian filter, on the other hand, it will only hurt you if you are sending out relatively spammy email.

Re:Useful

[greed]

That's easy to deal with in Postfix. Just do 'permit_sasl_authenticated' before any of the rejection rules, like 'reject_invalid_helo_hostname' or 'reject_unknown_reverse_client_hostname'.

That way, anyone who can do an authenticated SMTP session doesn't need to have rDNS or anything else set right. But MTAs, which don't use authentication, will be held to a higher standard.

I don't even bother requiring authentication on the submission port; if you meet the requirements to send through port 25, you can do it on submission as well. And vice-versa; if you can do an AUTH session on port 25, you can relay and don't have to have rDNS and so on.

(Postfix given as an example 'cause it's what I use; I would expect any decent SMTP server can do the same sort of things. If not, here's $0.00 and you can get your own copy of Postfix.)

Reverse DNS not always possible to setup

Unless you are one of the lucky few who have a full class address space, you are stuck with the will of the ISP to either setup reverse entries for you or to delegate resolution to you. Alphatel has it right. Use it if you choose, and grade along with other tests.

Just deny DSL / Cable IPs

[GPLHost-Thomas]

Denying all wrong rDNS is a bit harsh, however, denying what's a DSL and the rDNS declaring as such is a good idea. I've yet found very very few cases where it was an issue. For such case, just white-list the entry your customer is complaining about. Here's how to do with postfix:

smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/maps/relaying_stoplist,
permit

And here's the content of my /etc/postfix/maps/relaying_stoplist

/^dsl.*\..*/i 553 AUTO_DSL We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server. -dsl-
#/.*\.dsl\..*/i 553 AUTO_DSL2 We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/[a|x]dsl.*\..*\..*/i 553 AUTO_[A|X]DSL We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
#/client.*\..*\..*/i 553 AUTO_CLIENT We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/cable.*\..*\..*/i 553 AUTO_CABLE We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
#/pool\..*/i 553 AUTO_POOL We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/.*dial(\.|-).*\..*\..*/i 553 AUTO_DIAL We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/ppp.*\..*/i 553 AUTO_PPP We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/dslam.*\..*\..*/i 553 AUTO_DSLAM We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/dslb.*\..*\..*/i 553 AUTO_DSLB We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/dynamicIP.*\..*\..*/i 553 AUTO_ABO We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
#/dynamic.*\..*\..*/i 553 AUTO_ABO We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
#/staticIP.*\..*\..*/i 553 AUTO_ABO We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
#/dip.*\..*\..*/i 553 AUTO_ABO We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/fbx.*\..*\..*/i 553 AUTO_fbx We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/abo.*\..*\..*/i 553 AUTO_ABO We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/socal.res.*\..*\..*/i 553 AUTO_REV We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.
/.dhcp.*\..*\..*/i 553 AUTO_dhcp We aren't accept direct connection not from dedicated SMTP servers. Please use your internet provider SMTP Server.

Re:Just deny DSL / Cable IPs

Your messsages aren't English. Change "aren't" to "don't", "connection" to "connections", and "provider" to "provider's".

Re:Just deny DSL / Cable IPs

[amicusNYCL]

Human-readable error messages may also be a good idea. Surely you can do better than "We aren't accept direct connection not from dedicated SMTP servers."

Re:Just deny DSL / Cable IPs

[Infiniti2000]

All your DNS are belong to us.

Re:Just deny DSL / Cable IPs

[rickb928]

Magnificent. Seriously, giving back retarded English is a stoke of genius, and I'm not being sarcastic. Real admins will chuckle, jerks and asshats will flame you (and now you know to add them to your deny), and machines aren't reading it anyways, you had them at 553.

I think there's a recipe out there to automate dropping the connections after a set number of tries and rejects. For my denies, I just ignore the connection and let them timeout. This seems to trigger a lot of spammers to stop wasting time connecting since it hangs them a lot longer than an error response, and maybe sometimes looks like my server is hosed, so they write me off as gone.

Rreally, I love it. Haiku would be overkill. Maybe you should have used 'form' instead to complete the effect.

Re:Just deny DSL / Cable IPs

[hazah]

WTF mate?

Re:Just deny DSL / Cable IPs

[nedlohs]

So I shouldn't have used the strabo.mydomain.com as the outgoing SMTP server. And pytheas.mydomain.com was available too, god damn it!
 

Re:Just deny DSL / Cable IPs

[tibit]

I think he should provide a link to your post in the reply!

Re:Just deny DSL / Cable IPs

[laffer1]

You're part of the problem. Not EVERY CABLE MODEM IS AN END USER.

I have a business class cable package. My employer also does. DHCP is one thing, but static blocks should be excluded from your list. You can get 3 cable packages for the cost of a T1 here. It's insane to buy a T1 to host a website.

This is an attempt to make the internet smaller and get rid of the little guys.

Re:Just deny DSL / Cable IPs

[PIBM]

And what`s the name obtained from your ip ? I have such a package too at home, and they use a quite distinctive name for their business accounts in order to be able to easily identify them from the regulars account. I'm pretty sure you could easily get that fixed with your provider if you ask.

Anyway, the best thing is to simply increment the spam rating of the message in all of those cases.

Re:Just deny DSL / Cable IPs

[erroneus]

Well, I run from cable, but I have a business account. My rDNS shows my IP is my domain and not any one of the expressions listed above. I guess that's a kind of good start. But since my IP address is still considered "client" I can't really expect my mail to be delivered to most and I have to relay through the ISP still.

I think in the end, spam begins with people who don't care about other people. They don't care about being annoying or even about causing problems or trouble for other people. I think the hard core spammers should be killed. Not imprisoned. Not fined. Killed. They are the worst kinds of people. They don't care about other people or the harm they cause. They are victimizers and they are heartless. If you disagree with me, tell me why they should be allowed to live on the same planet as you?

I know this seems extreme.... okay, it is extreme. But think on what kind of person it takes to do what spammers do. They are literally the worst kind of people. There are lots of people who are this "worst kind" so don't think I mean that only spammers should die. Pretty much anyone who thinks the way they do should die.... and if not death, then perhaps life-time probation with no access to computers or the internet.

Re:Just deny DSL / Cable IPs

[GPLHost-Thomas]

If you are connected through an ISP providing you an IP which is obviously dynamic, if you can't customize the rDNS, and at the same time, and if you aren't using a relay server to send your emails, then you aren't sending emails properly. If you are under such restrictions, in exactly which situation do you reasonably want my servers to believe you are in the need to send emails directly? 99.999% of the times, you are a botnet sending me spams. If you are a company, then you have enough to pay yourself a hosted relay with a fixed IP address and rDNS. Please... don't tell me you are one of these guys who did the setup of an Exchange server behind a poor ADSL line, for an entire company (what an horrible setup)... Or that you are just a geek setting-up your home-brew $unix server behind your ISP connection, using your mum's electricity (hint: you can get a hosted domain name and a VPS for few bucks a year... a way less considering that your old crappy server consume electricity). FYI: how to setup a postfix so that it uses a relay for the outside world:

# Relay through example.com
relayhost = mx.example.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpw

Then saslpw just contains:
mx.example.com exampleusername@example.com:password

Depends on how badly you want mail....

[Above]

It is possible to configure your mailer to require all sorts of things, like rDNS. If you configure all of them you will get almost no spam, but you'll also not get 50% of your legitimate e-mail. Perhaps that's ok with you, you're willing to only talk to the "clueful".

Most people though want to get mail. The old Internet axiom "Be conservative with what you send, be liberal with what you accept" applies. WIth spam fighting this generally means use every mechanism at your disposal (including rDNS existence, or matching with forward DNS); but use it only to affect the score of a message. That way the guy who doesn't have rDNS right, but does everything else right will still get through.

Re:Depends on how badly you want mail....

Most shared web hosting sites will not have a reverse entry for Email. The hosting provider hosts multiple sites from one or a small number of real IP addresses. The forward works for getting Email to a destination. A reverse DNS entry, however, will point to the web hosting provider and not match the FQDN provided for a forward DNS lookup. This is a very common scenario.

Re:Depends on how badly you want mail....

[Just+Some+Guy]

It's been a long time since I wrote up some spam-filtering instructions, but I'd still stand by most of my recommendations. In general, yes: just increase the spam score. I do have several litmus tests, though. If you fail one of these, I'm not accepting your mail:

• Your HELO has to send something that actually looks like a hostname. "server" doesn't work, and neither does "5626^^^". Rationale: a server this badly misconfigured is either a spambot or so horribly broken that I don't want to talk to it. I look at the output of this rule from my logs and I've literally never seen anything blocked that looked like it might have been legitimate.
• Don't send me my own hostname in the HELO. You're lying. The only reason to do this is to trick me into relaying for you.
• Don't send mail From: an unresolvable address. "someone@server" isn't a legitimate email address. Neither is "joe@nonexistent.example.com". If it would be impossible to send you a reply because the address you've given can't possibly be valid, I don't need to hear from you.
• I use zen.spamhaus.org, bl.spamcop.net, and b.barracudacentral.org to generate a likely spam score for incoming servers. If their combined score exceeds a certain threshold, I outright block email from that server. A server might accidentally end up on a blacklist, but it's unlikely that one would accidentally end up on more than one of those (in my opinion and experience) very conservative lists.

"Be liberal with what you accept" is a great idea to a point, but there are some things that correlate very strongly with spamminess. Back to the subject at hand: I don't think that lack of reverse DNS is one of those things.

Re:Depends on how badly you want mail....

"Don't send mail From: an unresolvable address"

Understandable, but that one is going to make you lose some mail you might want from automated systems.

Re:Depends on how badly you want mail....

[Just+Some+Guy]

I don't think so. It allows fake addresses like "no-reply@example.com" through. But in my opinion, senders like "somebot@foo" are a certain sign of spamminess. Like with watching the HELO failure logs, I never saw anything remotely legitimate looking get blocked.

Re:Depends on how badly you want mail....

[mea_culpa]

Also if your server is capable and the load allows for it, delaying the SMTP greeting for 15-20 seconds can remove a huge slice of the spam pie even before doing any other checks. The SMTP RFC says servers should be configured to wait up to 5 minutes for this greeting.
Things that usually happen during the delay:
Spam bot tries to talk to your server before it actually receives a greeting. Reject and blacklist this IP. MTA's that do this do not belong on the internet.
Spam bot doesn't want to wait for the greeting and gives up. Good.
Misconfigured legitmate mail server doesn't want to wait. Add these (there will be very few) to your whitelist.
Legitimate properly configured server waits the delay and delivers its mail.
You can also add servers that you trust to your whitelist so they can avoid this somewhat costly delay.

The rare legitimate mail that gets rejected by this method is returned as undeliverable as it never made a sucessful connection in the first place. Sender will know that their message did not reach their recipeint.

Re:Depends on how badly you want mail....

[Just+Some+Guy]

Excellent point, and if I ever update that howto (it's in my GTD list - honest!), I'll recommend it highly. If you're using Postfix, check out its new postscreen server. It's so good that I dropped greylisting altogether.

From the other side

[snsh]

In an organization operating a mailserver without a PTR record for their SMTP, the users should be having so much difficulty sending outbound mail that they know something is wrong. I know this from experience, having set up an SMTP without reverse DNS, and then observing that half my test messages bounced back.

Re:From the other side

[Muerte2]

Agreed! Lots of servers on the net will require this, so the sending server will have a hard time getting mail to ANYWHERE.

Yes.....and no.

I run a pretty decent volume mail platform (80k mailboxes, 2.5M attempted messages/day) and when I first inherited it we required reverse DNS records. It seemed great, it demonstrably cut spam volume, and it really screwed a lot of our customers on a semi-regular basis. Unfortunately lots of legitimate mail senders simply don't have access to proper reverse dns, maybe because their ISP won't delegate or maybe because they're barely technically literate and too small to hire a competent consultant.

Bottom line I found was there are better ways to get the same results without having all the collateral damage. For a personal mail server I might still have the requirement, but the instant people are depending on my platform for their email I'm going to go with the stuff that doesn't have such strong downsides.

rDNS bad

[JeffSh]

Many email servers do not have rDNS, therefore it is not advisable to filter based on a lack of rDNS alone.

It can be argued that it should have an rDNS, but if they don't, you have no control over that since it's their system. Then you'll be spending way too much of your time tweaking spam filters and creating white lists, contacting the sending company's administrators...

It's just a bad idea, don't do it.

That said, I prefer SaaS email spam filtering like Symantec's Messagelabs. (Disclosure, I am an ML partner)). I like this service because I don't have to worry about managing it. It saves me a lot of time.

Its useless if nobody uses it

[suso]

A bit over a year ago, I performed a reverse dns scan of the entire internet. It took around 4 months and amounted to about 62GB of data which I haven't sorted through just yet, but I'd guess based on what I've seen so far that only 20-30% of the utilized Internet has reverse DNS entries. This is kinda what I suspected all along, but I now have data to back that up. How can anything properly use reverse DNS with that low of an adoption rate. Its sad because so many more services could be offered if it was properly adopted.

Re:Its useless if nobody uses it

[pe1chl]

Probably the number of addresses in the utilized Internet that are intended to send mail is much lower than that 20-30%.

So it could still be a good method.

Re:Good idea, but too much trouble in the real wor

[Lumpy]

You got it. Today, unless you have a dedicated Email server guy it's retarded to run an Exchange server in house. Outside companies do it better and when the Company Fiber goes down YET AGAIN (Thanks AT&T) you dont lose 24 hours of emails, we actually lost 72 hours worth as AT&T decided that working over the weekend was not important.

No

[TheCarp]

You know....I hate spam. It made usenet useless for years, it continues to degrade the usefulness of email, spamers steal resources and are underhanded dickwads.

All that said, some of the anti-spam people are ridiculous zealots who don't care who gets caught in the crossfire.

I have a server in colo. Its my mail server, but it also does a number of other things. Until recently, it ran a tor node. Why? Because i had sooo much more allocated bandwidth than I was using on a monthly basis that it cost me nothing extra to run. Ran it for at least 6 years on the same node.

Its now shut off, why? Because some idiots at Spamhaus decided that running a tor server was suspect. Never mind that it was disallowed from exiting on port 25, which is publically posted info in its service descriptor....no... Of course, I think they are also fooled by the fact that several windows users have shell accounts and use it as a web proxy.... so somehow my box also was infected with a Windows trojan according to these geniuses.

We got it cleared up, but still are not able to donate excess bandwidth allowance to the tor network.... which is bad enough, but this isn't the first time I have had my server blacklisted for no good reason at all. I don't even remember what BS it was last time, just that it was... BS.

Now will this kill me? No.... I have reverse DNS setup and have for years but...come on.... seriously? Bouncing mail sucks, especially when you suddenly start doing it to whole domains.

If it were just me, my opinion is that anyone using one of these RBLs has a misconfigured mail server, I wouldn't have "fixed it".... but I host other peoeple's email domains, so the black ball tactics worked.

Re:No

[omnichad]

Second IP address too expensive? Just curious.

Re:No

[sjames]

How would a second IP help? Spamhaus likes to carpet bomb whole subnets.

Re:No

Letting infected users use your box as a proxy is no better than getting infected yourself.

Re:No

[jittles]

Wish I had mod points for you. I agree with you wholeheartedly.

Re:No

Do you know for a fact that your tor node wasn't abused for spam (which isn't necessarily email (port 25) but can be any form of spam) or other nefarious actions?

Re:No

So maybe it wasn't your machine that was the problem.

Or are you suggesting that your tor node caused problems for everyone else on that subnet?

Re:No

[sjames]

I couldn't say, I'm not the OP.

As a neutral 3rd party, I wouldn't blame the tor node here if someone else goes off half cocked and tries to nuke the site from orbit.

Re:No

[TheCarp]

I guess I can't be 100% sure of that but, I, personally recieve every email (all 0 of them) that come to abuse@ for my domain.

If a real incident happened, nobody bothered to tell us about it, or accuse us of it.

I wouldn't have a problem if they contacted us to talk about it, said "hey we have some concerns" or "hey this happened".

Instead we found out when users started complaining of mail not arriving...and that is just not cool.

I mean, if there is an active situation, its understandable to shoot first and ask questions later but, without so much as an accusation? Not even an attempt to "ask questions later"? Just "lets see if they find out they are blocked now and complain"?

If you can't afford to do it right, you can't afford to do it period.

Re:No

Did you check with your hosting ISP, to see if they got complaints on their abuse mailbox?
If it would SEEM that you were the spammer, complaints would go to them, not to you.

Re:No

[Whaledad]

Check with the hosting ISP and see if they received complaints at their abuse address. If it SEEMED like you were spamming, the complaints would go to your ISP.

Re:No

[TheCarp]

Hmmm actually.... the hosting ISP changed recently and....long story short, now that you mention it.. if anything went to our "hosting ISP", he may have seen them and I did not, I will check back with him and see if maybe there is part of the story that I missed.

Also, as I was discussing this in another thread...one issue seems to be that they don't keep information around after an incident. I can find no record of our block, why it happened etc, and it was all gone before I got back from vacation. I have a URL, but, when I go to it it just says that this block doesn't exist anymore.

Re:No

[omnichad]

Well, they might not kill the whole subnet. I'll admit they're only one ethical step above the mafia, though.

Re:No

[cstdenis]

While not as good as an exit node, you could run a non-exit node and still be able to make some useful contribution to the Tor network.

Re:No

[sjames]

Considering that TFA is about Spamhaus taking out a provider's provider's entire IP allocation because they "only" blocked all IPs actually alleged to have sent spam, I'm guessing they would happily carpet bomb the entire subnet.

Re:No

[sjames]

My bad, that's T other FA today about Spamhaus.

Re:No

[TheCarp]

Thats a good point. I may do that but one of the problems is that (as said in other posts, some in other threads) that part of the issue is a lack of ability to get info later. I don't see anything that says they block tor nodes, but I am told that was part of the issue.

SO.... being unable to find information on a "removed block", leaves me wary of turning it back on and then finding out that they have done it again.

In any case, I have another node running, on a different server, so I am still helping out.

Re:No

[Cramer]

Actually, Spamhaus lists a great many /32's. If they've listed your entire netblock / subnet, you've done *something* to earn it. (what that might be is known only to them. and they aren't sayin')

And to be fair, tor is just too easy to abuse. That said, you shouldn't be running a tor exit node on your mail server.

Re:No

[Cramer]

It's their policy to not deal with "spammers". If you've been listed, you are a spammer, and they will not talk to you. Your ISP will have to talk to them. They usually will not tell anyone what got you listed to start with -- if you are a spammer, that information is gold for evading detection in the future. Having dealt with the several times (as the ISP), they're actually good guys. (there are infintely worse anti-spam nuts out there.)

Re:No

[sjames]

Apparently, knowing someone who knows someone who might have spammed is enough. I figure it's only a matter of time for Kevin Bacon.

I am not the OP, and I'm not listed at all, nor have I run a tor exit node on a mail server, but OP indicated that the tor node had port 25 blocked and that he was running it as a public service since he had bandwidth he wasn't using. That doesn't strike me as something worthy of punishment.

Re:No

[Cramer]

Everyone knows Kevin Bacon isn't spam -- he's Bacon after all. :-)

Just because the OP blocked port 25 on his node, doesn't mean it's blocked everywhere. Listing every known exit node may be a little extreme, but it's a fairly safe move. A tor exit node should not be sending email. How does a random server on the internet know it's a real mail server and not tor originating the connection? I say again, if you are crazy enough to run tor on your mail server, you should be prepared for the fallout. (there are more than a few systems that will not accept any connection from a known exit node. mail, web, any connection.) Or put another way, don't come crying to me when your mail server ends up listed in hundreds of blocklists because it's also a tor exit node; the lists block all tor exit nodes, and I'm not making an exception for anyone.

Re:No

Details, give us details. IP address, Spamhaus webpage? My Tor node has never been in any RBL. Perhaps I'm just lucky. You had infected users behind your box? Well, why would anyone want to block that? Oh yes, everyone probably would. "no good reason at all"? Seems you gave us the good reason.

I've a question, I run a free picture upload site. Seems there have been thousands of child pr0n pictures uploaded and my host shut me down. How can they do this, I had several cute pictures of my kitty-cat there. They gave no good reason at all (other than something about hosting child pr0n). Unfair.

e-mail server

[StripedCow]

Being fed up with postfix and exim, I recently wrote a simple e-mail server using python. I followed the RFC standard as well as I could, but to my surprise, I noticed there are numerous special undocumented tricks one needs to know to get mail through to the recipient in a reliable way (whitelists, blacklists, reverse dns, etc). I am wondering if anybody here knows if there is a place on the net where such tricks are documented.

PS: IANAS (I am not a spammer, honestly)

Re:e-mail server

[Megane]

On the matter of "undocumented tricks", I had a problem last year that was preventing me from getting inbound e-mail (the spammers had no problem, of course) because of DNS server configuration. When you register a domain, you have to provide two or more authoritative server addresses for the registrar database. These addresses also require a domain name for no good reason I can see other than for documentation purposes. (How are you supposed to look up ns1.example.com via DNS when you still need the IP address of its authoritative server? That's why the IP address is in that database.).

It so happens that some DNS servers will reject your authoritative server if the server domain name from the registrar database is not in your zone file. In other words, when looking up, say, www.example.com, after getting the DNS server IP address of ns1.example.com from the registrar database, they then take the server name from the registrar database (ns1.example.com) and fail if that doesn't resolve. To make things more fun, add in anycast DNS, where some of the servers do this, and some don't (or maybe there are delays between the initial lookup and server name lookup), and you have no idea which one you got for any given lookup. The result is that if you repeatedly look up your domain name on (say) AT&T's anycast DNS servers, sometimes you'll get your IP address, and sometimes you won't. Google's DNS works fine all the time, but you can't require the rest of the world to use that. And some mail servers will queue your mail for 24 hours (!) if the DNS lookup fails.

tl;dr: the registrar database domain names of your DNS servers should be in your zone files, or else

Re:e-mail server

[RajivSLK]

Yahoo Postmaster has a pretty useful help page. If you do everything listed here you should be in good shape: http://help.yahoo.com/l/us/yahoo/mail/postmaster/basics/postmaster-15.html

Re:e-mail server

[Cramer]

Yes. [See also: every large ISP] AOL has their own dumbass rules, as do far too many other ISPs. The real problem, as you've seen is the entire undocumented nature of one's arbitrary rules.

Only 1 worthy contender

[rwa2]

Just whitelist any email that has a verified digital signature. Everything else you can't trust.

Good luck getting anyone to actually set up and use digital signatures/encryption, though :-P But if you make it a matter of policy and give them the tools to use it, there's no better way.

Re:Only 1 worthy contender

[Cramer]

Right. That stops all the DKIM signed spam coming from Yahoo! Oh, wait, it doesn't; in fact, it would allow all of it through.

Re:Only 1 worthy contender

[tepples]

What digital signature methods do you support? Is it just S/MIME? OpenPGP? OpenPGP where the sender has to have attended key signing parties in multiple countries?

Reverse DNS is useless

[dbialac]

As somebody who used to work in the email industry, I can assure you that rejecting based on the presence of RDNS is useless against entities that run their own infrastructure. Everybody working legitimately ('opt-in', though I refer to it as 'suckered in' because the person didn't read the privacy policy that said people who filled out the form were going to get emailed and their info sold/traded) in the email industry creates RDNS as a part of their SOP. When I worked in it, we never sent out email without first verifying that reverse DNS was set up and set up properly. Granted, you'll still likely catch spam from botnets.

Re:Reverse DNS is useless

[Glendale2x]

I think you're missing the point. Configuring DNS means that someone with clue set out to create a mail server and intends for it to be such rather than just slapping something together without any clue. Whether or not that mail server is sending anything desirable is not related.

Re:Reverse DNS is useless

[Cramer]

Half right... it means someone with a clue found someone with a clue at their ISP. The ISP half of that clue sandwich is a rare thing these days.

spamsolutions.txt

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

The world of senders is not black and white

[rayd75]

Remember that not every non-spam email originates from a perfectly-configured self-hosted SMTP server. Many organizations outsource their email, spam filtering, compliance filtering, notice / statement delivery, etc. While it's easy to posit that the IT departments in such organizations have a duty to maintain reverse DNS records for all their partners' servers, don't fall into the trap of thinking that every organization has a fully-staffed, knowledgeable IT department... or an IT department at all.

Re:The world of senders is not black and white

...then they shouldn't be running a public mail server. If you don't have knowledgeable resources to manage these systems, you don't belong putting them on the Internet where they are used to attack the rest of us.

Should be a factor, but not a red flag

[jht]

Having a reverse DNS is a good practice, and anyone with a mail server should be doing it. That said, a lot of small businesses don't have reverse DNS set up, don't know what you mean when you tell them to do it, or have ISPs that are a pain to deal with. I'd mark up the spam score on a message without reverse DNS on the sending server (and I do on my own server) but I wouldn't block it entirely unless it sets off a lot more flags than just that one.

I use Kerio Connect on my server - I add 2 points for lack of reverse DNS. 3.5 points drops you into the junk folder, 5 blocks you completely. Doing that I get pretty much no false blocks, a false positive every few days, and about 3-5 spams that make it to the junk folder per day. I block a few hundred.

let me help

[karmaflux]

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:let me help

[stillnotelf]

This checklist is longer than when I last saw it. Is there a centrally-managed spot for the meme?

A warning

[djp928]

The windows admin where I work hates reverse DNS. He thinks it's stupid and refuses to keep it updated. So... if there are more people like him out there, you might have issues getting email from them.

Re:A warning

[RedACE7500]

Hope he likes updating his resume.

Re:A warning

[xeno314]

Out of all people, why would a Windows person mind? Hell, Microsoft made the DNS MMC snap-in idiot-proof when it comes to reverse DNS -- it will ask to create the PTRs for you! Perhaps your DNS isn't on Windows, but still...there are plenty of UIs for DNS control that handle reverse DNS automatically.

Re:A warning

[djp928]

Lucky for him, Windows will keep reverse DNS reasonably well maintained (provided you're using a Windows DNS server) until you decommission a host and reuse a host name or IP address. Then it seems to have huge issues getting things cleaned up. I haven't any idea why because I try to stay away from it.

Re:A warning

[djp928]

Yeah, it creates them just fine. It just doesn't seem to ever want to keep that info up to date if you change hostnames or reuse IP addresses. Like I said in another reply, I'm not a Windows guy, so I haven't any clue why it doesn't seem to like to clean up after itself. It works great as long as you never delete a host and try to reuse its IP or hostname, then it has issues.

Re:A warning

[omnichad]

Hates what about it? That almost doesn't even make sense.

Re:A warning

[djp928]

He hates that some apps/protocols use it as a security measure, by doing a reverse lookup on the IP they were just given and trying to match that to the host name they were given. That means he has to pay attention to whether or not Windows is maintaining that info correctly, and as I've said in other replies, it often doesn't if you've ever reused an IP or hostname.

Re:A warning

[thejynxed]

It's a simple issue of the admin being lazy: They have to re-run the process from the MMC panel to simply create an updated PTR. This requires a few mouseclicks, so it's understandable how it might just be too much effort for someone used to munching on Cheetos and Mt Dew.

The aforementioned Windows guy who hates it, is probably doing something dumb, like attempting to manually edit the PTR records instead of allowing the built-in tools do it for him.

Re:Good idea, but too much trouble in the real wor

[RedACE7500]

For short term outages, sending servers will queue messages and try again later. You can avoid long term outages like this one by having redundant Internet connections from different providers.

Re:Good idea, but too much trouble in the real wor

[chill]

Uhh...not to nitpick, but that is what backup MX servers are for. When your primary server is not available, mail is delivered to one of the others. If your e-mail is that critical then you need to have a store-and-forward server somewhere else, just in case your link goes down.

There are lots of services that provide this, if you don't want to do it yourself. But setting up a simple store-and-forward server isn't all that complicated and doesn't need a full Exchange deployment.

In theory, yes. In practice, no.

[apparently]

Reverse DNS makes absolute sense as a means to counter spam, but the reality I've experienced is that there are too many IT admins that don't even know what a PTR record is, and since they don't experience an issue with all of their mail recipients, they assume it's an unnecessary step, even when you try to explain that it with a sock puppet show.

useless, possibly harmful.

[sander]

The requirement for reverse dns is in hindsight a part of the "security theater" where various claims are made, and remedies suggested against perceived ills. The suggestion for reverse DNS comes solidly from the era of TCP wrappers, another supposed saviour of ill maintained systems from outside evils.

In reality, there is no actual increase of security from checking if some address has reverse dns as for ages most of the dial up and broadband lines all have reverse dns. Also, as reverse dns zones are by and large often unmaintained, esp. when it comes to removing entries, you neither can rely on the data returned, nor assign any significance to what is returned.

Re:useless, possibly harmful.

[omnichad]

Checking for a matching reverse DNS that matches a forward DNS. Not all reverse DNS resolves forward. Apparently my ISP does that. Stupid ISP. Of course it's a consumer ISP and they block port 25 inbound AND outbound. That's right, they don't even want me RECEIVING spam for myself.

Re:Good idea, but too much trouble in the real wor

[Lumpy]

Sounds like a plan, care to explain that to the CTO? I tried several times and was told that it is a "zero payback expense"

It is possible in all the situations that matter.

[pavon]

Unless you are one of the lucky few who have a full class address space, you are stuck with the will of the ISP to either setup reverse entries for you or to delegate resolution to you. Alphatel has it right. Use it if you choose, and grade along with other tests.

Any ISP will setup rDNS entries if you have a business account. The only time this is an issue is if you are trying to run a server from a home account. Most of the ISPs I have used or looked into prohibited running servers with a consumer account. Those that didn't were also happy to provide a rDNS entry if you paid for a static IP.

Trying to run a server when your ISP is opposed to you doing so is inherently problematic, rDNS just being one of your many concerns. It is fine for experimenting and learning, but not for servers that do anything important. The only excuse for a business or government agency not having a rDNS entry is incompetence.

The real question is how tolerant should you be of the incompetent, and from a business point of view the unfortunate answer is "very tolerant".

Yes; no; yes.

[osu-neko]

Yes, reverse DNS records should be standard. No, they should not be required. Yes, they are useless as a toll for fighting spam.

Re:Good idea, but too much trouble in the real wor

[operagost]

Besides, since when did every MTA stop following the SMTP RFC that says you MUST not discard the message until delivery has failed for over 72 hours? Even if your server was down over a weekend, you should still have 24 hours to get it back up without losing any mail.

The real problem

[pyrr]

The real problem is that while this would really help fight spam, there's collateral damage. Just like the judicial systems in civilized countries tend to operate on the principle that it's better to set 100 guilty people free rather than imprison 1 innocent person, most people who receive email would rather receive and delete 100 spam messages than miss one legit email inquiry from a potential customer or long-lost friend.

Sender Policy Framework seems even better than simple reverse DNS in theory, but it doesn't seem to get much traction because it causes more serious problems than spam in general causes. Until a critical mass of sysadmins basically tell the domain owners who are too stupid or lazy to add the appropriate DNS records to fuck off, lazy and stupid sysadmins will continue to not add those records. But until then, customers will cry and rebel if any of the good sysadmins who host them try to apply a passive spam filter that relies on such records. That's just how it goes, it's a Catch-22 which is preventing widespread adoption. The only potential solution would be to stage an SPF or rDNS record adoption day, get some big names on board, and hope for the best.

Definitely necessary

[Danzigism]

This is simple stuff here. Firstly, it verifies ownership of the domain. I will never accept email from a host that does not resolve. Doing so will of course allow a ridiculous amount of spam from infected computers around the globe from regular IP addresses. The email address needs to match the host in which it is sending from as well. It requires hardly *any* work. Why are we even talking about this?

HELO, ELO, wants the hostname as well. Are we expecting millions of mail servers to simple change the way they're doing things? More importantly, if spam is a problem for you, I've had great luck with filtering services such as Postini and SpamSoap. Both excellent providers and have better resources than anything you can whip together on your little email server. It costs pennies as well.

rDNS not working

From my experience and that of our other sysadmins here, rDNS never works and you'd constantly have users come and complain that they are missing a large amount of their incoming emails. The best defenses against spam are keeping your primary email as private as possible, using a good statistical spam filter, and ideally mail encryption since that makes filters more easily recognize spam since it'll stand out against the noise of legitimate emails. Also, in terms email clients the only one we specifically recommend is Thunderbird, even in combination with gmail (except for tagging they integrate very well now).

Get another one, then.

[khasim]

If email is important to your organization then the cost of a correctly configured mail server is insignificant.

Seriously, your email server can be anywhere in the world. There's no reason that you have to go through a specific ISP. Even if they're blocking port 25, you can get a different ISP to accept mail from you on a different port. Even Google offers that option.

Re:Get another one, then.

[arkane1234]

Have you worked at a small business before?
I've been in that boat, and you have dual T1 running into the site. The CIO wants you to migrate to a self hosted SMTP server.

What, do you tell him/her that it's not possible because of the provider? You'd be laughed out of a job, quickly. After all, rDNS is about as useful deterent as looking out for thieves by finding those that aren't wearing polo shirts walking into a store.

Re:Get another one, then.

[SmurfButcher+Bob]

> If email is important to your organization then the cost of a correctly configured mail server is insignificant.
> Seriously, your email server can be anywhere in the world.

Yes, for example it may be located in the hotel room with the rest of the staff, as you work on borrowed laptops while watching your building burn down across the street.

Seriously, disasters happen, and sometimes they might exceed what you planned for. Your email server can NEED to be anywhere in the world. Stop being so myopic.

rdns is not a good solution

[wysiwig3]

I've had this same fight with multiple vendors and organizations over the years. Like many others, rDNS should be implement properly. It's just the way to keep a clean house. However, the RFC doesn't require rDNS validation checking, and do to so break mail delivery for many, many legitimate services. Spammers will (actually, have--this idea is old) found new avenues of attack. Reputation scoring, token analysis, and other statistical measures are a far better set of solutions to work with. You can go on the cheap with some sendmail RBL and dspam type solutions all the way up to what I consider best in class right now--Ironport. A Microsoft shop would probably like FOPE--it integrates well and does a damn nice job of proper spam filtering too. The larger MS shops with EA agreements can roll than into the package for decent pricing.

Spam is not the reason

[Glendale2x]

The question "Is Reverse DNS a Worthy Standard For Fighting Spam?" is incorrect. Spam is not the reason; using it as a measure of clue is. Servers that emit spam and and clue level can be related, though. If someone is clueful enough to set up a mail server properly they're going to make sure it has reverse DNS. A mail server run by a less than clueful individual (or set-and-forget with no admin) is more likely to be a problem source either now or in the future than the ones that are cluefully configured and actively maintained.

Of course you are going to have spammers that are clueful mail admins and will set up their servers properly. That's why you can't pigeonhole reverse DNS as some kind of spam fighting method alone. But it can always be used as a measure of cluefulness.

Just as your seeing.

A lot of system admins do not create rDNS causing rejections. Most of the time it's a headache so we don't do it.

Greylisting

[mutende]

The only truly effective spam prevention technique I've seen is greylisting.

Re:Greylisting

Are you sure that just killing all spammers wouldn't be more effective?

Re:Greylisting

Seconded. I don't check check for valid HELO (or even require one). I have a few entries that cannot send me mail regardless, a few that can only send to abuse@ - AOL and Yahoo are two - and I check for valid SPF. Greylisting stops all the rest.

Re:Greylisting

[The+Moof]

...for now. Spam has troubles with greylisting simply because they haven't built simple queuing into their zombies yet. As soon as the implement something that tries 15-20 minutes after initial rejection, greylisting becomes useless.

I actually found SPF to work pretty well. That was until a business we work with didn't know how to configure theirs, and they created records to instruct all mail servers to reject any e-mail from them. Relayed this to them several times, but eventually, the order came down from on-high to in our company disable it for our servers.

Re:Greylisting

[silas_moeckel]

Whitelist the one domain past the spf checking?

Re:Greylisting

[heypete]

It's also an enormous pain.

The email service for the department at the university I used to work for used greylisting, and incoming mail was routinely delayed for 30+ minutes. While I realize that email is not a time-critical service, it is still a hassle to wait for incoming email.

Even if greylisting could completely eliminate all spam, I would rather tolerate a small amount of spam than deal with the delays. Google Mail (who provides email for my domain)'s spam filter is so good that it is a rare occasion when spam slips through to my inbox.

Re:Greylisting

Wrong, thanks to greylisting spammers now retry... endelessly in some cases and not just on 4xx but 5xx too.

Greylisting is useless and while the spammers are only inconvienienced minimally, everyone else gets their email needlessly delayed.

Re:Greylisting

The only truly effective spam prevention technique I've seen is greylisting.

I swear certain websites do this with passwords sometimes. I use a keyboard macro for a couple web sites including a gmail account, and every once in awhile I have to try twice to log in, because I get told my password is incorrect. Unless my keyboard is mistyping the macro or the server is producing the wrong error, I'm thinking they will reject first attempts sometimes to prevent brute force attacks.

Re:Good idea, but too much trouble in the real wor

[hedwards]

Sounds like a good reason to go job hunting before getting fired for his incompetence.

You have to do this

[DarkOx]

Its right, its not fair; but its needed. Legitimate sites should have no problems setting up reverse records or getting their provider to do if for them.

Anyone who is not in a position get PTR records in place for their mail server is not actually in a position to be running a mail server anyway. Sorry that is just the way it is. PTR records are nice to have for any number of mail delivery troubleshooting and validation issues outside of SPAM.

As a mail admin I'd kinda consider them a requirement anyway. Its not easy to work transmission problems when I can't figure out who the admin of the other server is and how to get in touch with them.

I know its not within the standards, but I say no PTR record no, mail accepted.

Re:You have to do this

Actually it is in the standards, not the SMTP standards.

Any host over the Internet is supposed to have a valid reverse DNS (PTR Resource Record) declared, as required by RFC 1033: Domain administrators operations guide, section Adding a host:
Adding a host:
To add a new host to your zone files:
Edit the appropriate zone file for the domain the host is in.
Add an entry for each address of the host.
Optionally add CNAME, HINFO, WKS, and MX records.
Add the reverse IN-ADDR entry for each host address in the appropriate zone files for each network the host in on.

I agree 100%. If you don't have a valid reverse dns, I don't accept your mail. I'll usually tell such person when they complain to contact their ISP to fix it.

Re:You have to do this

I say no PTR record no, mail accepted.

You should sing it.

Re:You have to do this

[tepples]

I'll usually tell such person when they complain to contact their ISP to fix it.

Good luck getting a call center representative in India to understand what a PTR record is, if other comments posted to this story are any indication.

Re:You have to do this

I'm confused, no PTR and you accept the mail, by implication do you deny mail that HAS a PTR?

(You put that comma in the wrong place. Punctuation is important, in this case it reversed the meaning of the comment.)

Re:Good idea, but too much trouble in the real wor

[blane.bramble]

Simple. Ask him if any of the email sent or received has value to the company. If the answer is "Yes", ask if he insures his car/home/dog. When he says yes point out the backup MX cost is insurance against the value of the email. If he says "No", point down you can save more money by closing down all email. Then go back to the first question, or close it down and get out of there.

why waste time

just set up postini properly - all mail to you is filtered by likely the biggest most up to date filter in the world (and dont forget to set up inbound rule in your firewall narrowed to your mailserver only receiving SMTP from postini)- dont try and make your own spam filters -- postini is the best.

i do not work for google.

Spam scoring

It should not be an automatic ban, instead part of the overall score applied by the filter(s).

Real men....

[Groo+Wanderer]

Real men would scan the IPv6 space too.... :)

                  -Charlie

Re:Real men....

[suso]

Real men would scan the IPv6 space too.... :)

I know you're joking as that would take longer than the age of the universe, even if you could scan it at a rate of 2^32 IPs per second.

However, one of the reasons why I did it is to gather data about where hosts are going in the transition from IPv4 -> IPv6. Some of the information I have includes IPv6 and IPv4 data paired together. So although you couldn't scan someone's block, you can get an idea of where they put their stuff in the new IP era and maybe compare what people usually did in their migrations. At least I'm hoping I'll be able to gather that data. I'm sure a lot of non-vegan geeks will have a host answering at :0000:feed:face:dead:beef and necropheliac geeks can have :6969:feel:dead:babe:b00b.

Re:Good idea, but too much trouble in the real wor

[max99ted]

We pay our ISP to provide 'queue service' in the event our connection/Exchange box goes down. When 'selling' this service to the bosses I put it this way - How much will it cost the firm to not only be without email during an outage, but to lose all emails sent to the firm during that time period?

I feel your frustration though... IT is often seen as a 'zero payback expense'.

As an ISP we require rDNS it works well.

[Muerte2]

I work for an ISP and we require rDNS records for all incoming mail. You will filter out a TON of spam email with that simple rule. It's much easier on the CPU load to filter on a simple reverse DNS check than to run spam assassin on that message. There are the occasional (not as many as you'd think) misconfigured servers that don't have rDNS. In those rare cases we contact the other end and let them know they're incorrectly setup, and usually add a temporary allow until they get the issue fixed.

I highly recommend requiring rDNS for incoming mail. 99.9% of legit mail servers will have those records, and only about 30% of spam servers will. We process over a million email messages a day with this method, it works.

I require them

[Hokan]

My mail servers require PTR records and require that they match A records. This has stopped a huge amount of spam. It has also stopped some ham and as a result I now use this in combination with a whitelist.

Re:I require them

[green1]

I just hope you aren't related to the idots I found the other day when sending email...

I have RDNS records set up, they match A records for the host. That wasn't enough for this particular mail server (at a large american ISP), my message got bounced because the RDNS record didn't include the words "mail", "smtp", or "mx"... since when was THAT a requirement??? (I was also blacklisted by another large american ISP who refused to say why, and I suspect it was the same broken reason, luckilly that one was willing to remove me from the blacklist with a simple request, unlike the first one who refused to do anything unless I renamed my mail server!)

Your submission advocates a....

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

No

[squiggleslash]

You're going to read a lot of comments a long the lines of "Yes, because only a legitimate emailer will know {long list of obscure hoops you apparently have to jump through to send email, most of which are not documented in any RFC.}"

In reality, the answer is no. It's a fucking stupid idea, and the fact that there are a lot of fucking stupid idiots choosing things like this as a way to block spam doesn't justify it. In reality, it's something a spammer (generally a person who knows a little more about sending email than the average office network administrator) will know how to get around, but something your users and the people they want to communicate with will not.

Reject spam because it's spam, not because it doesn't comply to a made-up, easily circumvented, rule.

Re:Good idea, but too much trouble in the real wor

[The+Wild+Norseman]

Sounds like a plan, care to explain that to the CTO? I tried several times and was told that it is a "zero payback expense"

Just out of curiosity, but did you submit a Business Impact Assessment/Risk Assessment detailing what the likelihood of a mail server failure would be and if it failed, how much money it would cost to re-establish services? You honestly outline what resources you have to bring to bear in solving an emergency and then plop that puppy right on his desk. If he then does a cost/benefit analysis and then wishes to ignore it, that's fine. You're covered. Of course, the GP said if a mail server is important enough, then... That's why these kinds of reports were invented; CBFs tie into DRPs which are subsets of BCPs.

Anyway, sounds like the CTO doesn't understand the proper role of support services for your company. IT is becoming more and more an essential feature of business (Critical Business Function) and though it may not be the prime income generator (web commerce), it still can be quite disastrous to the company if the mail server goes down.

Don't use that as the only criteria.

[Derek+Pomery]

Use other things as well, like, SPF, whether the connecting machine is an MX for the domain, greylisting of various kinds (possibly), and weighting on lists like SBL and XBL. PBL will block hobbiests like me, fortunately gmail doesn't do that.
And then once you accept it you can do more thorough bayesian checks on headers and content.
In any case, absolute reliance on any of 'em is a problem. Spam Assassin is awesome at doing weightings, IMO.

Re:It is possible in all the situations that matte

[tibit]

Any ISP will setup rDNS entries if you have a business account

For certain subsets of "any", that is. I'm with two rather large national-scale ISPs, on business class accounts with both of them, and asking for rDNS makes their eyes glaze over and that's the end of that. Our previous ISP, also a large company, was just as inept...

Email is stuck in the mud, waiting for what's next

[FyberOptic]

It depends on how much money you want/expect the world to spend trying to revamp the entire outdated system, for starters.

The fact is, spam filtering these days is pretty doggone good. I know people complain about Google and privacy issues, but I pipe all my POP3 mail into my Gmail inbox, and I rarely ever get unwanted emails. But I get literally dozens of spams a day in the spam folder.

I also have my "catch all" account from a server I administer directed to a different Gmail account. And considering 99% of that mail is also spam, it catches hundreds a day, and passes through the very few random emails which were legitimately (and sometimes accidentally) addressed to someone at the domain. In fact, I've also witnessed emails come in from companies directed at people who are apparently engaged in fraudulent purchases. Receipts for hotels and airlines and such. It's interesting to see what shows up from time to time.

The only way you're going to really change the system is if you come up with an entirely new one which is inherently secure but also exciting and different enough to encourage people to switch. Trying to make people enable particular settings in cryptic configuration files of current software when there are countless sysadmins who barely know how to make email work to begin with is a waste of time and effort.

Include the Human Element

[DERoss]

My ISP has a two-phase spam filter.

Phase 1 checks the domain from which the E-mail message was sent. If a DNS lookup indicates that no such domain has been registered, the message is trashed. This phase resulted in a very significant reduction in spam, both spam caught in Phase 2 and spam reaching my inbox.

Phase 2 uses a scored filtering system. It gives me the ability to add filters with my own scores. Any message caught in this phase is routed into a spam file on my ISP's server. I can review the messages in that spam file, marking some for acceptance into my inbox and some for deletion. In that review, I can also instruct the ISP's basic filter to "learn" what is really spam after a false negative or really not spam after a false positive.

Note well that I CAN REVIEW ANY MESSAGE THAT HAS BEEN MARKED AS SPAM in Phase 2. No matter how spam is detected, this is most important; the human element in determining spam is absolutely required. On the other hand, there is no human element in Phase 1, which does not perturb me. After all, I cannot reply to a message from a non-existent domain or or send a new message to it; I really do not want to receive any message that prevents an exchange of messages.

Re:Include the Human Element

[DERoss]

I just now ran a test on the E-mail domains used by my two children and my brother. Messages from each use the same address on the Return-Path: and From: header lines. I did a DNS lookup on each address's domain to get an IP address. I then did a reverse DNS lookup on each IP address. My conclusion is that reverse DNS is not an acceptable filter against spam.

Here are the results of my test:

My daughter: shaw.ca > 204.209.208.8 > "no data record" error message
Using reverse DNS lookup as a spam filter would thus block messages from my daughter.

My son: yahoo.com > 72.30.2.43 > ir1.fp.vip.sk1.yahoo.com
                        > 98.137.149.56 > ir1.fp.vip.sp2.yahoo.com
                        > 98.139.180.149 > ir1.fp.vip.bf1.yahoo.com
                        > 209.191.122.70 > ir1.fp.vip.mud.yahoo.com
                        > 67.195.160.76 > ir1.fp.vip.ac4.yahoo.com
The yahoo.com domain resolved to five distinct IP addresses, each of which then resolved to a unique domain that ended with ".yahoo.com". Using reverse DNS lookup as a spam filter would thus not block messages from my son unless an exact match were used.

My brother: aol.com > 205.188.101.58 > hostheader-dtc02.evip.aol.com
                            > 207.200.74.38 > hostheader-dtc02.evip.aol.com
                            > 64.12.79.57 > open.aim.com
                            > 64.12.89.186 > nullsoftwinamp.com
                            > 205.188.100.58 > open.aim.net
The aol.com domain resolved to five distinct IP addresses, each of which then resolved to a domain (not necessarily unique) that had several aliases (listed below). Two of those domains ended with ".aol.com"; each of the other three domains had at least one alias ending with ".aol.com". Using reverse DNS lookup as a spam filter might block messages from my son if an exact match were used or if alias domains were not considered.

Aliases found during reverse DNS lookup on AOL's IP addresses:

hostheader-dtc02.evip.aol.com aliases (for two IP addresses): ambassadoroflifestream.com, backup.aol.com, mqvibe.com, aolblog.com, aol4life.com, whatisaol.com, nullsoftwinamp.com

open.aim.com aliases: open.aim.net, eyeno.aol.com, forum.compuserve.nl, music.aim.com, music.aim.net, backup.aol.com, mqvibe.com, aolblog.com

nullsoftwinamp.com aliases: hostheader-mtc02.evip.aol.com, ambassadoroflifestream.com, backup.aol.com, mqvibe.com, aolblog.com, aol4life.com, whatisaol.com

open.aim.net aliases: eyeno.aol.com, forum.compuserve.nl, music.aim.com, music.aim.net, backup.aol.com, mqvibe.com, aolblog.com, aol4life.com

policyd-weight

[lavamind]

Use policyd-weight. It checks for DNS records and other stuff, and assigns a score to each test. I've been using it for a while and find it's a good compromise.

Small Business and DNS/Email

You do realize that your ISP doesn't have to also be your DNS provider? You can pay for any domain name registrar to do it for you, assuming that you have your own personal domain. You can even add your own DNS aliases. This still allows you to host your email server in-house but also have proper DNS entries. I use Dotster for my personal domains, but there are many out there.

Re:Small Business and DNS/Email

[trentfoley]

However, reverse dns is a completely different beast. Whoever has the ipv4 subnet controls the rdns for that subnet. If an isp is nice, they can delegate smaller subnets of their larger block to individuals, but this is rare.

This should help clarify

Re:Small Business and DNS/Email

[Cramer]

You do realize the ISP owns the f'ing address. That means *THEY* control what PTRs are assigned. They are the only ones that can change them.

Not part of the RFC...

...so it's not something valid to deny mail on, unless you don't mind not receiving certain mail (Which is fine, but don't count on the person sending it caring about it either).

Reverse DNS is messed up for my mail server, but that's because it's just too much effort to get the VPS provider to fix it (I don't have any control over it). People that reject mail based on things outside of RFC don't get my mail. Personally, I don't care, because, again, those people aren't worth the effort to satisfy. I can communicate with them by pen and paper (In other words, unless they're the government, they don't exist).

Re:Not part of the RFC...

[decula03]

Read RFC1912 - no, it's not for SMTP, but a requirement of being on the net in general.
Note the "loss of internet services" - of which smtp is.

      Make sure your PTR and A records match. For every IP address, there
      should be a matching PTR record in the in-addr.arpa domain. If a
      host is multi-homed, (more than one IP address) make sure that all IP
      addresses have a corresponding PTR record (not just the first one).
      Failure to have matching PTR and A records can cause loss of Internet
      services similar to not being registered in the DNS at all. Also,
      PTR records must point back to a valid A record, not a alias defined
      by a CNAME. It is highly recommended that you use some software
      which automates this checking, or generate your DNS data from a
      database which automatically creates consistent data.

How I use rDNS for my email customers

[Sleepy]

If the PTR request results in NXDOMAIN:
then add a X-Warning-no-RDNS header.

Customers are informed of this header. If they wish to make a client-side quarantine rule, they can. Customers are advised not to make rules to automatically delete such emails, as rDNS can get overloaded.

Also - if the rDNS resolves, and the answer is a KNOWN "dynamic or residential" rdns type name, then graylist that sender for 15 minutes. Most spam bots will not queue and retry their spam... they just move on and attack an easier mailserver. Note this is better than trying to use a "dynamic IP block list" because there isn't any, really (not anymore). Spamhaus PBL is not a dynamic IP list.

I use DynaStop http://dynastop.tanaya.net/ for this.
Note this is far better than maintaining your own IP blacklist. You're only graylisting IF the rDNS resolves to say 123-123-123-123-comcastbusiness.net for example. There are PLENTY of legitimate servers in domain space like that (albiet, IT running Exchange and not having a clue..). You would not want to block/refuse based on the rDNS. But the graylisting does thwart spam... in a very hands-off maintenance method. The sender can get through after 15 minutes OR after fixing their reverse DNS. (Once the sender gets through, their IP is considered green/OK for 4 days.. this eliminates the graylisting for frequent senders with bad rDNS)

Can't do it

[laing]

I've been an Internet mail server administrator for over 20 years. About 10 years ago I experimented with a rule that would block all mail from any mail exchanger without a matching/existing reverse DNS record. I experienced the same problems that you are now experiencing. I tried to enhance awareness of this problem but didn't get very far. There are lots of small businesses (including mine) who run their own mail exchangers. Many administrators simply do not understand the technology enough, and they feel that they do not need to because it's working "good enough" already. You can either make a "white list" of the problematic servers, or just drop the rule as I did.

Re:Can't do it

The question is not about matching forward and reverse, but an existing reverse.

As many others have pointed out; many hosting services have a reverse which cannot match the forward.

It's a poor differentiator

[sjames]

Filtering based on lack of rDNS is an old technique that actually did a good job of detecting spam without an excess of false positives for about a week in the late '90s. It has for some reason become enshrined as policy by a great many people now. These days it is occasionally a better indicator of NOTspam since the spammers all make sure they have rDNS set up and have done so since that week or so in the '90s.

Consider, if someone in a striped shirt wrote your business a bad check a decade ago, would you maintain a policy of not doing business with people who wear striped shirts?

Re:It's a poor differentiator

[Tracy+Reed]

A lot of spam comes from botnet'd boxes which were never intended to be sending mail. Those machines often do not have a reverse DNS configured because it did not matter and no mail should be coming from them. Spammers do not have control over the reverse DNS for these machines so filtering on reverse DNS is still a good way to add to the spam score of an email.

Re:It's a poor differentiator

[sjames]

Actually, most of those DO have rDNS often in the form a-b-c-d.dsl.isp.net or some such.

Re:It's a poor differentiator

[zyzko]

I am an admin of moderately loaded mail server cluster (some 500 domains so not that big) and lack of PTR and bad HELO in 99% of situations still means spam. Spam-worms still origin mainly from ddns hosts with no reverse (very shady isps) and generally identify themselves in HELO as "localhost" or by their ip number.

Spam worm writers *still* can't properly write SMTP clients and that is a good thing, makes filtering easier... And yes, because I require rDNS and proper HELO I have had to whitelist some senders because they have an internal server who greets with somedomain.local in HELO (for some reason these tend to be Exchange servers with admins not knowing or able to configure them properly....wonder why).

Re:It's a poor differentiator

Methinks you exaggerate. But you still make a valid point. rDNS is certainly an old anti-spam detection method and its usefulness has diminished over time. But I still maintain it's one valid test in a well-constructed battery of anti-spam measures.

Re:It's a poor differentiator

Nice Logic.

You have to have it

[juggler314]

I didn't read every comment, but the general theme seems to be that it's not absolutely required to have a reverse DNS entry. While this is true per the RFC - it's incredibly bad in practice. Google MX check, run the checker and if you don't have reverse DNS it'll point it out. Also people that say not one mail has bounced because of this must simply be wrong. Many blacklists will auto-add you if they notice you don't have reverse dns, then many companies will pick that up. Last time i had to move my companies mail server, the reverse was inadvertently not setup properly - not only did this cause problems fairly quickly it was slow to fix because while you'll be added to blacklists instantly, getting back off them is a manual process - you have to find every one you are on and then the companies that have picked up this info then have to get the new info - and some don't do this in a timely manner.

Running a real mail server for a real company without a correct functioning PTR record would be something that should get you fired.

The reasoning is simple, anyone running a real mail server will easily be able to set it up, if you don't have the PTR it likely means you are a spammer or you are running a server at home. Not that there's anything wrong with running your own SMTP server, but that's basically how botnets send spam...so there's a heavy correlation to that and spam.

Re:You have to have it

[juggler314]

Oh and one more thing, I don't require incoming ptr checks on my mail server, as many have pointed out some people simply don't do it even if they should. The score will be weighted higher towards spam without it though.

Yes

[errandum]

Telnet smtp server on port 25. HELO pcname - MAIL FROM: address_you_want - RCPT TO: destination_email - DATA message .

There, someone just wrote a bot to spamm you 25 times per minute.

No.

Spam originates from botnets and mailservers like gmail and hotmail. Both usually have correct, matching forward and reverse dns entrys. But you can filter the few retards that activly refuse to add reverse dns records, with a lot of collateral damage (people who don't know better or *can't* add them 'cause they don't control reverse dns for their IP...)

Re:Good idea, but too much trouble in the real wor

[decula03]

Glad you brought up the RFCs - isn't a proper rDNS entry for a server a requirement?

why does your server talk chinglish?

[spectrokid]

We aren't accept direct connection
why does your server talk chinglish?

Re:why does your server talk chinglish?

because spammers do so. And they should understand it.

Expecting rDNS is pretty common

[chaoskitty]

Expecting rDNS is pretty common. Expecting PROPER rDNS, on the other hand, is another thing altogether.

If a machine doesn't have rDNS, then it can't send email to anyone at AOL, for instance. It'd be quite disingenuous to say that people who send email through a machine without rDNS would be surprised if they couldn't contact you.

On the other hand, there are too many ISPs who have rDNS, but broken rDNS (doesn't resolve in the forward direction, uses names which don't belong to them, et cetera). I block email from all connecting machines which have rDNS (or HELO/EHLO strings) which say yahoo.com, hotmail.com, gmail.com, or google.com, which cuts down on a LOT of spam. The real services always have blahblah.something.yahoo.com, for instance.

I also block HELO/EHLO names which don't resolve in DNS, and on my backup MX I also block when the HELO/EHLO doesn't resolve back to the connecting IP. This, IMHO, is much more effective than only rDNS checking. People don't always control their own rDNS, but they damned well better control whether their mail server is lying or not.

The bottom line is this: are you expecting email from just anyone? If so, you can't block it but you can increase its spam score. If you generally correspond with the same people and occasionally start corresponding with someone new, you could take the time when someone new has a broken mail server. This is what I've done for years (with HELO/EHLO) and most people thank me once I explain why it's in their best interest to fix it.

RDNS Not Unreasonable

[ilec_geek]

I run a small ISP and my email server is set to block illegitimate connections. Why should I allow an IP address with a PTR record of something like "generic_dumbass_user_IP123.233.domain.com" to freely connect to my email server and start spewing data? That's just stupid. Granted, a "fake" record can easily be created, but it is not unreasonable to setup or have your ISP setup a simple PTR record for your email server. It doesn't even have to match your domain's MX record. It just has to NOT be an obvious generic entry, or worse, no record at all. I understand the headaches when dealing with other email "admins" out there who may or may not know how to configure things, or may or may not care when you give them "friendly" advice on how things should be configured. Network admins are usually governed 90% by their ego, and nobody who is "king of his own little hill" appreciates being told by some stranger that his network is messed up. But there are "industry best practices" and RFCs to guide you. So IMHO, RDNS will not stop all SPAM, but it is simple enough to implement and does not create a lot of "false positives" when integrated with a comprehensive security profile.

Mail Filter

Get Postini and be done with spam.

Re:Good idea, but too much trouble in the real wor

[chill]

Well, that should be fairly simple now. Point to the circuit failure and explain that is what you're talking about.

Do it in writing (e-mail), so if someone above him screams at you, you can say "I expressed my concern but it was judged to be an acceptable risk by the powers-that-be."

I understand the problem you have. I've just resigned myself to the security mentality of "my job isn't make the decisions, it is to make sure the people who make the decisions have the best information". It means I get to say "I told you so" quite a bit.

The short answer:

[cshark]

No. Absolutely not.

A script to check rDNS for popular domains

[Muerte2]

I wrote a script to check a bunch of popular domains (or any domain) and see if they have a reverse DNS entry.

http://www.perturb.org/code/rdns_check.pl

The summary is that every one (100%) of the domains I checked had reverse DNS.

digg.com has 7 MX records
** (Good) aspmx.l.google.com = 74.125.65.27 / gx-in-f27.1e100.net
** (Good) alt1.aspmx.l.google.com = 74.125.113.27 / vw-in-f27.1e100.net
** (Good) alt2.aspmx.l.google.com = 209.85.143.27 / dy-in-f27.1e100.net
** (Good) aspmx2.googlemail.com = 74.125.43.27 / bw-in-f27.1e100.net
** (Good) aspmx3.googlemail.com = 74.125.127.27 / pz-in-f27.1e100.net
** (Good) mail.digg.com = 74.125.127.121 / pz-in-f121.1e100.net
** (Good) diggstage01.digg.com = 64.191.203.34 / diggstage01.digg.com
nytimes.com has 4 MX records
** (Good) NYTIMES.COM.S7A1.PSMTP.com = 64.18.6.14 / s7a1.psmtp.com
** (Good) NYTIMES.COM.S7A2.PSMTP.com = 64.18.6.13 / s7a2.psmtp.com
** (Good) NYTIMES.COM.S7B1.PSMTP.com = 64.18.6.11 / s7b1.psmtp.com
** (Good) NYTIMES.COM.S7B2.PSMTP.com = 64.18.6.10 / s7b2.psmtp.com
gmail.com has 5 MX records
** (Good) gmail-smtp-in.l.google.com = 74.125.65.26 / gx-in-f26.1e100.net
** (Good) alt1.gmail-smtp-in.l.google.com = 74.125.113.26 / vw-in-f26.1e100.net
** (Good) alt2.gmail-smtp-in.l.google.com = 209.85.143.26 / dy-in-f26.1e100.net
** (Good) alt3.gmail-smtp-in.l.google.com = 209.85.229.26 / ww-in-f26.1e100.net
** (Good) alt4.gmail-smtp-in.l.google.com = 74.125.79.26 / ey-in-f26.1e100.net
hotmail.com has 4 MX records
** (Good) mx3.hotmail.com = 65.54.188.110 / bay0-mc3-f.bay0.hotmail.com
** (Good) mx4.hotmail.com = 65.55.92.168 / mx4.hotmail.com
** (Good) mx1.hotmail.com = 65.54.188.72 / bay0-mc1-f.bay0.hotmail.com
** (Good) mx2.hotmail.com = 65.55.37.72 / col0-mc1-f.col0.hotmail.com
yahoo.com has 3 MX records
** (Good) mta6.am0.yahoodns.net = 98.137.54.238 / mta-v2.mail.vip.sp2.yahoo.com
** (Good) mta7.am0.yahoodns.net = 74.6.136.244 / mta-v3.mail.vip.sk1.yahoo.com
** (Good) mta5.am0.yahoodns.net = 98.139.175.224 / mta-v1.mail.vip.bf1.yahoo.com
fastmail.fm has 2 MX records
** (Good) in1.smtp.messagingengine.com = 66.111.4.71 / mx2.messagingengine.com
** (Good) in2.smtp.messagingengine.com = 82.145.212.142 / tmx2.messagingengine.com
comcast.net has 2 MX records
** (Good) mx1.comcast.net = 76.96.62.116 / imta.westchester.pa.mail.comcast.net
** (Good) mx2.comcast.net = 76.96.30.116 / imta.emeryville.ca.mail.comcast.net
apple.com has 7 MX records
** (Good) mail-in13.apple.com = 17.254.13.11 / mail-in.apple.com
** (Good) mail-in14.apple.com = 17.254.13.13 / mail-in.apple.com
** (Good) mail-in11.apple.com = 17.254.13.7 / mail-in.apple.com
** (Good) mail-in12.apple.com = 17.254.13.10 / mail-in.apple.com
** (Good) mail-in2.apple.com = 17.254.13.5 / mail-in2.apple.com
** (Good) mail-in6.apple.com = 17.254.13.9 / mail-in6.apple.com
** (Good) mail-in3.apple.com = 17.254.13.8 / mail-in3.apple.com
google.com has 5 MX records
** (Good) aspmx.l.google.com = 74.125.65.27 / gx-in-f27.1e100.net
** (Good) alt1.aspmx.l.google.com = 74.125.113.27 / vw-in-f27.1e100.net
** (Good) alt2.aspmx.l.google.com = 209.85.143.27 / dy-in-f27.1e100.net
** (Good) alt3.aspmx.l.google.com = 209.85.229.26 / ww-in-f26.1e100.net
** (Good) alt4.aspmx.l.google.com = 74.125.79.26 / ey-in-f26.1e100.net
aol.com has 4 MX records

Hardly better than useless...

[damn_registrars]

The spammers will find a way around it, no matter what you do. It isn't any better than filtering in terms of a real long-term solution.

And the reason why both suck and fail to bring a long-term solution is they are both reactionary measures to an economic problem. They are both rooted at least partially in the notion that spam is sent out to piss you off and waste your time, which could hardly be a less accurate analysis of the situation.

Spam is sent out to make money, period. It will continue to be sent as long as money can be made by sending it out.

Hence the solution is to disconnect the spammers from the people who pay them. Work has been done to do this already and it has been shown very effective because there is no incentive for spammers to send spam if they aren't getting paid for it. Anything else just encourages them to find ways to get around anti-spam measures and will inevitably make spam a more costly situation for everyone.

how we roll

I manage a large volume email installation (many mil+ daily). I block ips that do not have reverse DNS with little to no problem. It is a common requirement, and those mailing without reverse dns won't be able to mail a lot of people. This hasn't been a problem, but as a large local provider it may just be I'm in a strong position to bully people into fixing their dns.

I don't block those who have _broken_ reverse dns. That's common, even among some big sites. By that I mean their ip address resolves to a hostname, but that hostname does not resolve back to that ip. If you block based on this you will loose legitimate mail.

Yes, Block Them

Make the world a better place for everyone else who rejects inbound email from IPs with no reverse DNS by doing the same. The only people who really have no way to provide reverse DNS for the IPs they're mailing from have no business running mail servers.

Re:Good idea, but too much trouble in the real wor

[nabsltd]

Glad you brought up the RFCs - isn't a proper rDNS entry for a server a requirement?

It's a "SHOULD", not a "MUST", as it's perfectly legal for an RFC-compliant email system to not have a hostname. Such a system would introduce itself (in its greeting and in HELO to other servers) as "[aaa.bbb.ccc.ddd]" with the actual IP address replacing the placeholders.

Likewise, it is a "MUST NOT" for rejecting based on not having reverse DNS.

Selective greylist

[mrball_cb]

The way I handle this is I greylist any email that comes in if:
1) it has no reverse dns
2) or the reverse dns matches certain patterns that indicate dynamic ip's

The rest comes in undelayed and is exposed to further checks. Note that it's ludicrous to require forward and reverse dns to resolve to the same thing. In today's age of hosting multiple domains in one server/cluster, it's just not reasonable to have PTR records defined that way.

It's retarded.

[nblender]

I've been running my own mail server since my first 'domain' ended in .uucp (and also didn't have rDNS but whatever)... I likely have greater clue than most mail server admins who reject mail as spam for not having rDNS. I continue to run my own mail server and refuse to relay through my ISP's mail server. This way I can check my logs and know that my e-mail was accepted by a remote MX which is a useful debugging tool when someone says "I didn't get that e-mail"... ISP's tend to change their email policies at the drop of a hat and suddenly, without prior knowledge, your mails stop getting through because someone decided to disallow .tar.gz attachments, or whatever. My ability to add a PTR record to my subnets doesn't tell you anything about my ability to run a mail server nor does it say anything about my e-mail policies. I know lots of retard windows admins who know how to add a PTR record but I wouldn't trust them to reboot my son's computer, let alone run a reliable mail server. So if you're using the presence of rDNS to detect clue, then you are without clue. Given that PTR records are largely free-form, there is no valuable information in the content of a PTR record. Just because many sizable companies have jumped on the bandwagon, doesn't mean they're intelligent either. I only recently had to relent and add a PTR to my mail server IP because e-mails to my customer were bouncing due to Brightmail arbitrarily deciding that my site was a spam site due to the lack of rDNS. Since my customer is directly tied to my revenue and the smartypants admins at Brightmail won't accept a logic and fact based argument, I had no choice but to relent.

sigh. I hate people.

Rdns AND MX are my 2nd liine

Like so many others I use multiple layers of anti-spam methods
lowest cost to higest , starting with
-- valid elho
-- to a valid user in my domain?
-- MX lookup, is this host the MX for the sending domain
-- does the RNDS match the MX
-- RBLs
-- body and header checks
-- a/v and ocr checks
Cuz I am sick of spam ..lazy admins..backscatter..virus hosts and all teh rest of teh crap excuses to spam me with
and I dump about 1% into quar/teen that I need to check daily ..of that 1 out of 10 is legit..but still mostly automated
crap..dinkdin..facialbook..titter..crap

Re:Rdns AND MX are my 2nd liine

[loVolt]

you can friend me!

It's useless

[LordAzuzu]

Nowadays most of the spam comes from infected pcs, connecting to the internet with residential ISPs, and they all (well, at least 90%) have a rDNS for their customers IPs.

Here we go again...

[ZeldorBlat]

This article advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Freenet

While you have my deepest sympathies regarding your encounter with spamhaus, I would like to take the opportunity to suggest that you give freenet a try. The project is still making significant progress in terms of security, anonymity, and performance.

A reverse DNS check is only one possible test

[FridayBob]

My approach, using Exim4, is not to reject messages outright based on single issues, such as not having a proper reverse DNS entry, but to reject based on combinations of them. This is a great way to limit false positives.

For instance, an incoming message may also have a bad HELO, a bad sender domain, be blacklisted locally or by a DNSBL service, or not have a working callout so that the existence of the sender's account can't be verified. There are more issues like these to look for. My systems count the number of these transgressions per message and reject when a certain value is reached, say three, while dumping messages that score one or two end in the recipient's spambox folder. With Exim, this kind of solution is surprisingly easy to construct using ACL statements with user-defined variables that include arithmetic statements. The last checks that are performed involve Clamd and SpamAssassin, because they are so resource-intensive.

I should also mention that my systems also perform a number of checks up front for obvious spam that is rejected immediately, e.g. if the sender address domain is gmail.com, but the sender HELO name is not part of the google.com domain.

Re:A reverse DNS check is only one possible test

I do have a gmail.com account which forwards to my personal mail server, and I send my email from non-google.com domain. I am always happy to hear about people not getting emails from me because of their broken setups claiming to fight spam.

restricts freedom on the web

it would be really hard to have one's own email server if reverse DNS is used to filter spam

You should never do this

I have a web hosting service that provides me a few Email addresses for my domain and the ability to server a web site. I do not have a dedicated IP for this. The result is my forward MX record does not match the reverse DNS (which lists my ISP as the owner). I have problems from time to time sending Email to clients because of spam filters that find such a situation nefarious. The truth is that the web hosting service has dozens of domains usign the same server and that it is not a unique situation.

Re:Good idea, but too much trouble in the real wor

[Alain+Williams]

You got it. Today, unless you have a dedicated Email server guy it's retarded to run an Exchange server in house.

I only agree on the point Exchange server, run exim or postfix for something stable and managable.

It is not really very hard to do, you need a bit of clue, but that is all. If no one at your company has clue then either outsource it or pay someone external to maintain it for you, neither should be expensive.

Oh: yes a rDNS record check is good, the problem is a numpty administrator who does not understand the issues and expects to force his brokenness onto the rest of the world. It should not be hard to whitelist that domain from the rDNS check.

SPF instead?

It seems like an SPF record would serve a similar purpose, and not require your ISP to get involved.

Some actual data

Ok, so people can make lofty statements like there's no RFC requiring XYZ, or that it's hard to get PTR records from an ISP. But, here's some actual experience from my in-production system.

I increase an email's spam score to the threshold of what would be the cut-off for HAM when I receive an email from a system with no reverse record. This allows the content of the email to "prove" itself to SpamAssassin and my other tools while not rejecting the item out of hand. I can produce hard numbers by looking back in my SQL table for emails that triggered this rule that were marked as SPAM and ones that triggered the rule but were eventually marked as HAM.

Numbers from 2011-10-01 to 2011-10-13
Spam with RDNS: 6,350
Spam without RDNS: 11,899
Ham with RDNS: 14,609
HAM without RDNS: 486
TOTAL: 33,357

So, you can see from those numbers that not having an RDNS record may not be a direct indicator of SMAP, but it's pretty darn good. Naturally, every environment is going to see different criteria, so your best bet is to log what your SPAM system is doing and pour over that data for a month or two. I found that for my organization, it's extremely unlikely that a legitimate email would be routed through another country, so I automatically set email to the SpamAssassin threshold score like I do with missing RDNS.

With regard to the claim that ISP's will not create a reverse record, that's simply bunk. I've run IT groups for several companies in several locations and I've worked as a consultant/contractor for even more. The simple fact is that if you're using a business account, your ISP will have a process in place to create a PTR record for the IP address you've assigned to your email server, or the IP address being used for NAT/PAT. If you're too small to manage this on your own, don't have the knowledge to ask for a PTR record, or you're running on a consumer-level service, you should NOT be running your own email server. Of the small and unskilled organizations I've found doing this, 9 out of 10 of them had open relays or compromised email servers. Running a production service on the internet actually takes a level of knowledge, and not having it will cause you MUCH more harm than good.

HIPAA, GLB, SOX, FDA regulated joints use ironport

Cisco ironports configured for strict checking want the HELO/EHLO to match the DNS name of the IP. They are reasonably intelligent about CNAMES and multiply-named hosts, though.

Ironport set to strict is the new standard, so get used to it.

Rejecting based on rDNS violates the RFC

[ScottG]

While spammers certainly don't worry about conforming with RFCs, it should be noted that rejecting email based on the DNS is a specific violation of the relevant RFC, RFC-5321, section 4.1.4, which states:

An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that basis.

That said, it is common practice to do this anyway. The reality is that you will not have reliable email delivery unless the hostname your server issues in the EHLO command resolves to the servers IP address and the IP address resolves back to that same name.

That's Funny...

[Greyfox]

Speakeasy never had a problem setting my rdns records to whatever I asked them to when I was using them as an ISP with static IPs. Have you considered the possibility that your ISP sucks?

reverse dns bad. spamhaus bad

[jsprenkle]

Grey listing is much better.

I do this

I do this at a small business with a global customer base and have never (~5 years) had a single reported problem regarding rDNS.

Th reject rate is high (sorry don't have the stats here at home).
Another big spam killer is valid HELO hostnames.

Unreliable SMTP server

[tepples]

Please use your internet provider SMTP Server

So what should a customer do if the only cable or DSL ISP in an area has an unreliable SMTP server?

Re:Unreliable SMTP server

[GPLHost-Thomas]

Frankly, if your ISP:
- Is only providing dynamic IP
- Doesn't allow you to change the rDNS of your fixed IP
- Doesn't provide a free, reliable SMTP relay server

then shouldn't you consider changing to another ISP? If there's absolutely no other choice, you can probably rent a small MX relay.

Must the ISP also be clueful?

[tepples]

Does "clueful" also mean "happens to be located in an area with at least one clueful business-class ISP"? Based on other comments posted to this story, it appears not all ISPs offering a static IP are clueful enough to make RDNS easy for customers to configure.

The Angry Postmaster

I worked with a postmaster at an ISP that blocked mail from anyone without rDNS, busted HELO hostnames and a whole host of other tiny things. We got virtually no spam at all. We also had thousands of people complaining that they couldn't receive e-mail from "grandma" in the Philippines because they had no rDNS. I think there are more effective ways of combatting spam while minimizing impact on end users.

Use it and have a whitelist

I use it for years now and if a sender has a problem, phone in with error code, and I can add their server to our whitelist. (After trying to convince their admin to use it)
Best spam solution IMHO.

Even Better Question...

Rather than pay for a relay host, why not move your business to an ISP who will provide what you want?

rDNS is already a standard, no silver bullet

[digiz]

If you want your email server to actual deliver mail, rDNS is required as many major email providers like AOL and MSN/Hotmail now require them to even accept incoming connections. It doesn't matter what anyone thinks about it, it's already a standard because of this.

I would not configure any servers to reject mail outright originating from servers without rDNS though. As the OP notes there are some legit servers whose admins apparently did not get the memo or do not care about delivery rates (if your ISP will not allow valid rDNS switch hosts or sign up for a free Google Apps for your domain, your mail deliver rates will be absurdly low without rDNS). Like someone else suggested a SpamAssassin/SCL rule to put it in a Junk folder instead would allow the one off legit message to be retrieved.

Although still imperfect, DNSBLs like Spamhaus and Barracuda seem to be a safer method to block spammy servers outright.

Re:It is possible in all the situations that matte

[unencode200x]

Agreed, agreed. We support mail servers for many companies on, idk, maybe a dozen ISPs and a few data centers. Bottom line, you have to be persistent. Someone (probably with DNS admin in their title) can do it if you ask nicely :)

Understand what you're asking for.

1. Comcast, AOL, and a lot of other providers are rejecting mail for a non-existent PTR record. If you're requiring the existence of a PTR record, you aren't the only one. But don't confuse whether they should have a PTR with whether they are required to have one. This is fodder for spam filtering arguments going way back before me (I was a mail admin back in 2002-2004, and this was a recurring flame war then too).

2. The existence of a PTR record does not always correlate to a forward A record (ie, if host.example.com has the IP address 1.2.3.4, and 4.3.2.1.in-addr.arpa has the host as 4-3-2-1.some-isp.net, this is perfectly legit and very common. 4.3.2.1.in-addr.arpa does NOT have to point back to host.example.com, though it's still a good idea).

3. Any time you filter for spam based on any given criteria, you will encounter false positives. Period. Are there few enough false positives to be worth dealing with? Then configure mail server to accept mail from legitimate (but problematic) hosts on your whitelist before you blocking based on their DNS. Are there so many false positives that you are dealing with user complaints and exempting mail servers more often than getting real work done? Then drop that particular filter and try others.