From: Kurtis D. Rader (no email)
Date: Sat Jan 03 2004 - 23:11:35 EST
On Fri, 2004-01-02 20:58:50, Peter H. Coffin wrote:
> First off, the first thing a mail server needs to do during an SMTP
> connection is IDENTIFY itself, and the realistic situation that we face
> today is that that mail server had better identify itself how the smtpd
> server sees it. Which, frankly, means that that NATted SMTP server needs
> to identify itself DIFFERENTLY depending on where it's connecting. RFCs
> may say otherwise, but I know *my* Postfix installation is going to
> refuse service from anything claiming to be a host that I can't verify.
> Which also means that all kinds of preset variables that make sense for
> an internal net ($myhostname, etc) are wrong for the NATted connection,
> and have to be custom-crafted.
It would be trivial for me to reconfigure my Postfix installation
to identify itself as 216-99-206-50.cust.aracnet.com in its HELO
command. But note that I'm still going to be advertising the sender
as FROM a @skepticism.us or @sysperf.org address. Which are both
domains with valid whois information that resolve to the address
216.99.205.50. So what exactly does your restriction accomplish?
Note that you can verify my hostname. Furthermore, you can verify that
it evaluates to the same IP address that is connecting to you. What it
does not do is evaluate to a hostname obtained from a rDNS lookup. But
that's simply because I didn't want to impose on my ISP.
I'm as frustrated by spam as anyone. I'm currently receiving more than
100 spam emails each and every a day. And that count doesn't include
those that are blocked by the few RBLs and other restrictions I use. But
the rDNS checks I see people using don't help. Any spammer using a
"bulletproof" hosting service should have no problem establishing the
appropriate DNS PTR records to foil rDNS checks. Similarly, any spammer
using hijacked PCs as open relays won't find it difficult to employ a
trojan written by a competent programmer who uses the hostname that
itself obtained from a rDNS lookup in its HELO command. These rDNS
restrictions will eliminate very little spam (over the long run) and
cause needless grief to people with vanity domains or that are running
small projects (e.g., my Linux system performance monitoring tool I'll
be hosting at sysperf.org).
> Heh. PIX Fixup, anyone?
Exactly. All software has flaws. Including that from companies with
competent engineers such as Cisco.
-- Kurtis D. Rader +1 503-531-8274
|
|
|