[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The anti-abuse rDNS check that FTP gave up




On 05/10/2011 16:28, Storz, Michael wrote:

Another name for the iprev test is "Forward Confirmed reverse DNS" (FCrDNS). With Postfix you configure it with the two commands

    reject_unknown_reverse_client_hostname
    reject_unknown_client_hostname

We use this check since years as our first defense against botnet spam with great success. In the last 7 days we rejected emails for nearly 22.000.000 recipients. 49% did not have a PTR record, 29% did not have a matching A record.

Where does RFC 5321 say that a sending MTA needs a PTR record? (or even an A record?)

If it doesn't, then the lack of a PTR record does not indicate that the MTA is 'wrongly configured'.

Failing FCrDNS shouldn't be sufficient to reject mail. Lots of MTAs can't have a 'correct' reverse DNS entry, even if they have one at all. Use valid FCrDNS as a way of validating whitelist entries, but surely not for more than that.