[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The anti-abuse rDNS check that FTP gave up

> On Oct 5, 2011, at 11:28 AM, Storz, Michael wrote:
> > Another name for the iprev test is "Forward Confirmed reverse DNS"
> (FCrDNS). With Postfix you configure it with the two commands
> >
> >   reject_unknown_reverse_client_hostname
> >   reject_unknown_client_hostname
> >
> > We use this check since years as our first defense against botnet
> spam with great success. In the last 7 days we rejected emails for
> nearly 22.000.000 recipients. 49% did not have a PTR record, 29% did
> not have a matching A record. Therefore the FCrDNS was responsible for
> 78% of all rejections. This means your statement, that this check is
> not working, is definitely not true.
> This is a pretty ridiculous statement.  You use a dubious criterion to
> reject 78% of messages, and then you claim that because you did that,
> the check "works".

Read the email, the statement of Valdis was,

"so most of Vint Cerf's famous 140 million compromised machines have an rDNS entry, which means it's not that effective anymore"

If thiswould be true, the FCrDNS check should only reject a very low percentage of "compromised machines". My statistic proves that this is not the case and on the contrary it is rejecting 78% which is a very high number. Therefore I say the check (still) works. BTW, if we would use the Spamhaus PBL as the first criterion, the rejection rate would be nearly 70% and the FCrDNS check would go down to a 20% rejection rate.

> > However you have to live with a moderately false positive rate.
> Before we implemented the check, we analyzed out traffic for 3 months
> and build an automatic whitelist with 4.000 wrongly configured MTAs.
> There's absolutely nothing "wrongly configured" about an MTA that
> doesn't have a PTR record.


in which world do you live? Many if not most of the major ISPs reject mail servers which do not have a PTR record. From the view of a customer this makes a mail server without a PTR record wrongly configured, even if you do not like this.

> > Since the beginning of the check we get about 1-2 false positives per
> week reported by our users. This second whitelist has 230 entries at
> the moment. This means about 4% of the MTAs we accept emails from are
> wrongly configured. We can live with that.
> Just imagine how many wrongly rejected emails aren't reported.

If one of our user wants an email they are pretty fast in reporting a reject.

> Stupid spam filtering mechanisms are a DoS attack on email.

Right, but this mechanism is not stupid, instead it is clever ;-) It does not relate to spam, it does not relate to IP reputation etc., it is just a configuration issue which in most cases can be corrected easily by the admin of the mail server. 

> Keith