To:
Jim Reid <Jim.Reid@nominum.com>
cc:
Andras Salamon <andras@dns.net>, <dnsop@cafax.se>
From:
Dean Anderson <dean@av8.com>
Date:
Mon, 24 Mar 2003 11:51:15 -0500 (EST)
In-Reply-To:
<61589.1048455017@shell.nominum.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreversefor IPv6.
This is essentially an authentication. However, it is also based on a false premise, and one that actually blocks more legitimate mail and little spam. Most spam comes from infected dialup hosts or rooted colo hosts, and today most such hosts have trivial forward-reverse entries. So very little spam is blocked using this "test". Though perhaps years ago, this was a rough approximation of dialup. However, what is more common today are multihomed mailservers where forward and reverse don't necessarilly match. This results in "ham" that is blocked. Spammers typically have no choice in the DNS configuration, so there is no correlation between lack of reverse or the presense of reverse, and sending spam. In the case of bonafide spamhouses, they have delegated blocks and control of both forward and reverse, which are typically setup to satisfy this so-called test. Few people today use this test for mail, as a result. In time, the trend in trivial reverse will result in _only_ ham being blocked. Another DNS related "heuristic" was domain checking. Out of roughly 100 spams per day, I get only about 3 that don't have valid domains on return addresses. (I check this by accepting everything on inbound, and not accepting bad domains on delivery. This results in a bounce, and I count the bounces.) So only about 3 percent of the spam has invalid domains. This isn't a useful heuristic, either. DNS is not a useful anti-spam tool. All users (even spammers) are (presently) authorized customers of ISP's, and may have access to valid DNS domains. This is slightly offtopic, though useful as an example of the misapplication of assumptions about DNS. However, if you are interested in the topic of spam control, I suggest you review the material from the MIT anti-spam conference at www.spamconference.org. --Dean On Sun, 23 Mar 2003, Jim Reid wrote: > Reverse DNS does uses, even for IPv6. They are not necessarily > related to authentication. When reverse lookups of the hosts sending > me email don't work, this is almost always an indication of spam. It > would be nice to use this heuristic as the first line of defence > against spam in an IPv6 world. > #---------------------------------------------------------------------- > # To unsubscribe, send a message to <dnsop-request@cafax.se>. > #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.