[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The anti-abuse rDNS check that FTP gave up




On 10/5/11 6:24 PM, Keith Moore wrote:
On Oct 5, 2011, at 11:28 AM, Storz, Michael wrote:

Another name for the iprev test is "Forward Confirmed reverse DNS" (FCrDNS). With Postfix you configure it with the two commands

   reject_unknown_reverse_client_hostname
   reject_unknown_client_hostname

We use this check since years as our first defense against botnet spam with great success. In the last 7 days we rejected emails for nearly 22.000.000 recipients. 49% did not have a PTR record, 29% did not have a matching A record. Therefore the FCrDNS was responsible for 78% of all rejections. This means your statement, that this check is not working, is definitely not true.
This is a pretty ridiculous statement.  You use a dubious criterion to reject 78% of messages, and then you claim that because you did that, the check "works".

However you have to live with a moderately false positive rate. Before we implemented the check, we analyzed out traffic for 3 months and build an automatic whitelist with 4.000 wrongly configured MTAs.
There's absolutely nothing "wrongly configured" about an MTA that doesn't have a PTR record.

Since the beginning of the check we get about 1-2 false positives per week reported by our users. This second whitelist has 230 entries at the moment. This means about 4% of the MTAs we accept emails from are wrongly configured. We can live with that.
Just imagine how many wrongly rejected emails aren't reported.

Right. How many recipients know they should have received mail but didn't? And of those who notice, how many take the time/effort to report it? Multiply those percentages and you get an idea how many false positives you're missing.


Stupid spam filtering mechanisms are a DoS attack on email.

+1

/rolf