Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Is Reverse DNS a Worthy Standard For Fighting Spam?

Posted by timothy on from the who-the-heck-are-you? dept.

drmartin66 makes it to the front page with this question: "Last weekend I installed a new spam filter server for a client, and enabled connection rejection if the sending server did not have a Reverse DNS record. Since then, I have had a number of emails rejected from regulator bodies that do not have a Reverse DNS record, and are refusing to have one created for their email server. What is your opinion of Reverse DNS records? Are they (or should they be) a standard, and required? Or are they useless for spam fighting?"

4 of 301 comments (clear)

  1. Re:Better Question... by Anonymous Coward · · Score: 1, Informative

    Because many small business have no control over DNS. Try calling the Mumbai office of ATT and getting them to even understand what you are talking about. I have seen some SMTP server reject mail if the PTR does not exactly match the name of the server.

  2. Get another one, then. by khasim · · Score: 3, Informative

    If email is important to your organization then the cost of a correctly configured mail server is insignificant.

    Seriously, your email server can be anywhere in the world. There's no reason that you have to go through a specific ISP. Even if they're blocking port 25, you can get a different ISP to accept mail from you on a different port. Even Google offers that option.

  3. Re:Better Question... by omnichad · · Score: 3, Informative

    You don't need IP delegation. Most ISP's offering business class Internet will just set the reverse DNS records up for you on your static IP address. Yes, you have to get in touch with their support, and yes, you have to get a rep that knows what you're talking about - but there's typically not even an extra charge.

  4. Re:Depends on how badly you want mail.... by Just+Some+Guy · · Score: 5, Informative

    It's been a long time since I wrote up some spam-filtering instructions, but I'd still stand by most of my recommendations. In general, yes: just increase the spam score. I do have several litmus tests, though. If you fail one of these, I'm not accepting your mail:

    • Your HELO has to send something that actually looks like a hostname. "server" doesn't work, and neither does "5626^^^". Rationale: a server this badly misconfigured is either a spambot or so horribly broken that I don't want to talk to it. I look at the output of this rule from my logs and I've literally never seen anything blocked that looked like it might have been legitimate.
    • Don't send me my own hostname in the HELO. You're lying. The only reason to do this is to trick me into relaying for you.
    • Don't send mail From: an unresolvable address. "someone@server" isn't a legitimate email address. Neither is "joe@nonexistent.example.com". If it would be impossible to send you a reply because the address you've given can't possibly be valid, I don't need to hear from you.
    • I use zen.spamhaus.org, bl.spamcop.net, and b.barracudacentral.org to generate a likely spam score for incoming servers. If their combined score exceeds a certain threshold, I outright block email from that server. A server might accidentally end up on a blacklist, but it's unlikely that one would accidentally end up on more than one of those (in my opinion and experience) very conservative lists.

    "Be liberal with what you accept" is a great idea to a point, but there are some things that correlate very strongly with spamminess. Back to the subject at hand: I don't think that lack of reverse DNS is one of those things.

    --
    Dewey, what part of this looks like authorities should be involved?