Just throwing my 2cents in this one...
While I'll agree that spam is out of control, and while reverse dns helps,
it's not a sure fire mechanism unless A) everyone is required to use it and
B) anyone who wants to operate legitimately, has the opportunity to register
their IP in RDNS.
Besides the argument of "My isp does not allow RDNS", more significantly,
Reverse DNS is *NOT* are requirement for SMTP transmissions as per rfc822.
However, the SMTP server having a valid FQDN that can be mapped to the same
ip it is claiming to be coming from, via a lookup, *is* a requirement.
So until the IETF proposes a draft which revises the rfc or is superseded by
another rfc; blocking smtp servers based on lack of RDNS entries, could be
an "implied" violation of rfc822. Since it is not stated in the rfc that
this (RDNS) is mandatory or recommended, one can not assume that
implementing it, is ~not~ a violation of the rfc.
Personally, I view RDNS as I do spam filters and black-lists (not the ordb
mind you); if a company is willing to employ such measures then they must
also be willing to accept that they will not be able to receive
communication from other legitimate business', nor should they force said
business' to comply with guidelines not defined in the rfc.
The only exception to this would be Open-Relay's, since the very nature of
an Open-relay violates well known published security practices. Hence using
a service such as the ordb would be an acceptable means of filtering traffic
from known open-relay's.
JMHO
LordInfidel
-----Original Message-----
From: Bryan S. Sampsel [mailto:bsampsel@libertyactivist.org]
Sent: Wednesday, August 25, 2004 4:39 PM
To: security-basics@securityfocus.com
Subject: Re: educating rDNS violators
I'd say a good chunk of what you're seeing with regards to reverse DNS not
being set up has to do with the fact that folks are tired of fighting with
ISPs when they leave and simply work with an outfit like Register.com,
using the Register.com DNS servers for forward lookup.
Right, wrong, or indifferent, you have to go to the IP block owner (like
say Qwest) and get the reverse-DNS set up. That is not always
particularly easy.
I'm not defending, simply explaining. Especially with the advent of cheap
business class broadband, you're seeing far lower service levels than you
used to with T1 circuits.
Just my observations...
Sincerely,
Bryan S. Sampsel
LibertyActivist.org
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
