Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreversefor IPv6.

[Dean Anderson <dean@av8.com>]

> You don't know what you're talking about. Unless you're the source of
> most of my spam, you have no idea of the characteristics of my the
> spam traffic I get or what are the most effective ways to deal with
> it.

Spam, like most group phenomena, is roughly uniform, unless there is a
reason for it to be different, such as a targeted attack on a specific
site.  My spam statistics should be roughly the same as your spam
statistics given a sufficient sample size, unless for example, one of us
is being attacked. While attacks happen, they don't usually last long
enough to really skew the statistics, especially if they are identified
and removed. (eg, 10,000 mails to dean@av8.net in 1 hour probably isn't
spam, in the ordinary sense, and shouldn't be counted). To obtain my
statistics, no spam is dropped or deleted. It is all saved.

> The majority of spam I receive comes from hosts that have no
> reverse DNS AT ALL. So far dropping SMTP connections from hosts with
> addresses where reverse lookups return NXDOMAIN or SERVFAIL has not
> caused a single false positive. Oh, and the heuristic I spoke about
> just tests the result of a reverse lookup. It doesn't "authenticate"
> that answer with what's in the SMTP dialogue or 822 headers.

If you are dropping connections based on no reverse DNS, then you don't
know whether the message you dropped was spam or ham. You are just
assuming it is a spam, and perhaps you are counting the number of
connections dropped.  You mention that dropping connections on Servfail or
nxdomain results in not a single false positive. Apparently, in your
universe, real nameservers don't fail.  In my universe, only 3 percent of
spams have bogus domains.  (Note that my queuing system described
previously will not bounce messages that have transient failures, unlike
yours.)

Today, I got 128 spams. (very little is from bonafide spamhouses). 19 had
no reverse. Blocking these 19 make no difference.  However, a large amount
of non-spam email also has no matching reverse.  Blocking those do make a
difference, at least to most people, though perhaps not to everyone.

Further, as pointed out at the MIT anti-spam conference (which I
attended), people making claims like yours aren't really checking spam vs.
ham results, which is necessary to obtain results on effectiveness. Most
people simply put in some filters, which deletes some mail, and they have
no idea how much of the deleted mail is spam, vs how much is ham.  When
you report "not a single false positive" you are just reporting your
confidence in your methods, not the true effectiveness of your methods.

> So my example shows that there are valid and reasonable uses for
> reverse lookups other than BSD rsh-style authentication which pretty
> much everyone accepts is a bad idea.

You are attempting to use DNS to make a decision about whether the person
communicating is a spammer. That is an authentication of the challenge
"Are you a spammer?".  DNS has no facility to make such an authentication
possible. Your assertion to the contrary is faulty. It does not represent
a valid use of Reverse.

		--Dean

On Mon, 24 Mar 2003, Jim Reid wrote:

> >>>>> "Dean" == Dean Anderson <dean@av8.com> writes:
>
>     Dean> This is essentially an authentication. However, it is also
>     Dean> based on a false premise, and one that actually blocks more
>     Dean> legitimate mail and little spam.  Most spam comes from
>     Dean> infected dialup hosts or rooted colo hosts, and today most
>     Dean> such hosts have trivial forward-reverse entries. So very
>     Dean> little spam is blocked using this "test".
>
> You don't know what you're talking about. Unless you're the source of
> most of my spam, you have no idea of the characteristics of my the
> spam traffic I get or what are the most effective ways to deal with
> it. The majority of spam I receive comes from hosts that have no
> reverse DNS AT ALL. So far dropping SMTP connections from hosts with
> addresses where reverse lookups return NXDOMAIN or SERVFAIL has not
> caused a single false positive. Oh, and the heuristic I spoke about
> just tests the result of a reverse lookup. It doesn't "authenticate"
> that answer with what's in the SMTP dialogue or 822 headers.
>
> So my example shows that there are valid and reasonable uses for
> reverse lookups other than BSD rsh-style authentication which pretty
> much everyone accepts is a bad idea.
>


#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.