is rejecting SMTP traf from unresolv hosts legitim/usefull?

older
RE: [suse-security] Limit Squid...

lars＠newsone.org

12 Nov 2001 12 Nov '01

11:05

hi, my postfix is configured to reject incommimg traffic from unknown hosts. I found rejected traffic from an ip, which resolves to an official name, at least with nslookup <ipnum>. now when I do a reverse lookup, nslookup <hostname> it says domain not found. hostname beginns with digits and is therefore not rfc conform (?). there is no point in rejecting mail from users (customers), with the message "hey, you got no DNS entry" when they come the other day telling me they got one (but not rfc conform), and if I dont accept it, they change to some other at the far end. but I do not want to relay spammers... what is the background, and should I do something about it? thanks, lars

Show replies by date

Sven Michels

12 Nov 12 Nov

13:50

New subject: [suse-security] is rejecting SMTP traf from unresolv hosts legitim/usefull?

lars@newsone.org wrote:

...

hi,

my postfix is configured to reject incommimg traffic from unknown hosts. I found rejected traffic from an ip, which resolves to an official name, at least with nslookup <ipnum>. now when I do a reverse lookup, nslookup <hostname> it says domain not found. hostname beginns with digits and is therefore not rfc conform (?).

there is no point in rejecting mail from users (customers), with the message "hey, you got no DNS entry" when they come the other day telling me they got one (but not rfc conform), and if I dont accept it, they change to some other at the far end. but I do not want to relay spammers...

what is the background, and should I do something about it?

the world is evil. a host without a valid hostname or reverse lookup isn't really hard to get normaly, but many ppl. don't have. So if you reject mail from unknown hosts, you _may_ reject many legitimate mails. If you want to stop spam, try to use some dns rbl domains but be carefull with that. You can also write a script which will run every day (night) that parses the maillog and create some mails with informations why the mail was rejected (maybe also to the user who should recive the mail) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

Boris Lorenz

17:24

New subject: [suse-security] is rejecting SMTP traf from unresolv hosts l

Yup, On 12-Nov-01 Sven Michels wrote:

...

lars@newsone.org wrote:

...
hi,

my postfix is configured to reject incommimg traffic from unknown hosts. I found rejected traffic from an ip, which resolves to an official name, at least with nslookup <ipnum>. now when I do a reverse lookup, nslookup <hostname> it says domain not found. hostname beginns with digits and is therefore not rfc conform (?).

there is no point in rejecting mail from users (customers), with the message "hey, you got no DNS entry" when they come the other day telling me they got one (but not rfc conform), and if I dont accept it, they change to some other at the far end. but I do not want to relay spammers...

what is the background, and should I do something about it?

the world is evil. a host without a valid hostname or reverse lookup isn't really hard to get normaly, but many ppl. don't have. So if you reject mail from unknown hosts, you _may_ reject many legitimate mails. If you want to stop spam, try to use some dns rbl domains but be carefull with that. You can also write a script which will run every day (night) that parses the maillog and create some mails with informations why the mail was rejected (maybe also to the user who should recive the mail)

I agree with you to some extend. My 0.02c: A host with a broken FQDN or no FQDN at all should *not* be allowed to take part in normal smtp traffic. If some admin/provider/whatever is unable to create proper forward and reverse DNS and MX zones/entries for a domain, he/she should go baking cookies for christmas instead, sorry. The benefits of blocking unresolveable/badly named hosts outweight the occassional loss of some dude@<enter your fav crappy fqdn here>.com-mails. If I would let pass mails with unresolveable/suspicious domains, I would get roughly 50% more spam than with the block. If I have the time, I usually drop the domain admins a lil' mail, informing them about their DNS problems. I may be anal about this, but thanks to these and other strict precautions, our spam traffic volume is near zero.

...

intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

Boris Lorenz ---

Togan Muftuoglu

17:01

New subject: [suse-security] is rejecting SMTP traf from unresolv hosts l

* Boris Lorenz; on 12 Nov, 2001 wrote:

...

I agree with you to some extend.

My 0.02c: A host with a broken FQDN or no FQDN at all should *not* be allowed to take part in normal smtp traffic. If some admin/provider/whatever is unable to create proper forward and reverse DNS and MX zones/entries for a domain, he/she should go baking cookies for christmas instead, sorry.

yes but what happens if you have a lousy provider who has not implemented the reverse dns for your ip, can you force him to set it ? -- Togan Muftuoglu

Gerhard Sittig

21:10

New subject: [suse-security] is rejecting SMTP traf from unresolv hosts l

On Mon, Nov 12, 2001 at 19:01 +0200, Togan Muftuoglu wrote:

...

* Boris Lorenz; on 12 Nov, 2001 wrote:

...
I agree with you to some extend.

My 0.02c: A host with a broken FQDN or no FQDN at all should *not* be allowed to take part in normal smtp traffic. If some admin/provider/whatever is unable to create proper forward and reverse DNS and MX zones/entries for a domain, he/she should go baking cookies for christmas instead, sorry.

yes but what happens if you have a lousy provider who has not implemented the reverse dns for your ip, can you force him to set it ?

Yes you can. By "voting with your wallet / your feet". Just as you don't buy crappy software or hardware (and maybe tell the vendor why you cannot buy his stuff but instead take your money elsewhere) you can choose to not accept a service provider(!) who doesn't even provide most common basics. :> If more customers would act this way there would be less nonsense produced and sold since there's no place on the market ... (yes, I know -- it's just dreaming). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.

Sven Michels

13 Nov 13 Nov

10:00

New subject: [suse-security] is rejecting SMTP traf from unresolv hosts l

Boris Lorenz wrote:

...

I agree with you to some extend.

My 0.02c: A host with a broken FQDN or no FQDN at all should *not* be allowed to take part in normal smtp traffic. If some admin/provider/whatever is unable to create proper forward and reverse DNS and MX zones/entries for a domain, he/she should go baking cookies for christmas instead, sorry.

thats also my point of view, but if you're in a business, you can't deal this way. Your Customers NEED to contact you. Many of them are not able to configure DNS the right way. So if you block them, you'll never get their money ;)

...

The benefits of blocking unresolveable/badly named hosts outweight the occassional loss of some dude@<enter your fav crappy fqdn here>.com-mails.

ack.

...

If I would let pass mails with unresolveable/suspicious domains, I would get roughly 50% more spam than with the block. half ack. many spam is delivered over 'good' configurated mailservers WITH fqdn and reverse DNS. You have to deal with it. grep your logs after connections from unknown hosts and look how many legitimate mail is included.

...

If I have the time, I usually drop the domain admins a lil' mail, informing them about their DNS problems.

good. that can also be done by a script. the problem is that many domain admins aren't agree with you :( Things like: 'your mailsetup is broken, the sender domain exists and has a/mx records.' are the most used respons ;)

...

I may be anal about this, but thanks to these and other strict precautions, our spam traffic volume is near zero.

Spam filtering is not easy, you need really to figure out how many spam and how many legitimate mail youre blocking. if thats ok for you to block 1-5 good ppl and 10-50 bad ppl, do it :) just my 0.02c -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

Boris Lorenz

11:38

New subject: [suse-security] is rejecting SMTP traf from unresolv hosts l

Huhu, On 13-Nov-01 Sven Michels wrote:

...

Boris Lorenz wrote:

...
I agree with you to some extend.

My 0.02c: A host with a broken FQDN or no FQDN at all should *not* be allowed to take part in normal smtp traffic. If some admin/provider/whatever is unable to create proper forward and reverse DNS and MX zones/entries for a domain, he/she should go baking cookies for christmas instead, sorry.

thats also my point of view, but if you're in a business, you can't deal this way. Your Customers NEED to contact you. Many of them are not able to configure DNS the right way. So if you block them, you'll never get their money ;)

Agreed! LOL :) [...]

...

...
If I would let pass mails with unresolveable/suspicious domains, I would get roughly 50% more spam than with the block. half ack. many spam is delivered over 'good' configurated mailservers WITH fqdn and reverse DNS. You have to deal with it. grep your logs after connections from unknown hosts and look how many legitimate mail is included.

Yep, I create some mail stats on a regular basis (twice a month), and as of now, roughly 3-4% of known-good mails are rejected. Rather a lot. That's why I have to write many "hey-your-MX-sucks" mails... ;)

...

...
If I have the time, I usually drop the domain admins a lil' mail, informing them about their DNS problems.

good. that can also be done by a script. the problem is that many domain admins aren't agree with you :( Things like: 'your mailsetup is broken, the sender domain exists and has a/mx records.' are the most used respons ;)

Oh yeah, I have enough of mails like this in my archives... I often found myself in the mids of heated debates about the domain name system with some ppl (admins?), although I don't see any argueable parts in it. Perhaps I should change from Aspirine to Prozac.

...

...
I may be anal about this, but thanks to these and other strict precautions, our spam traffic volume is near zero.

Spam filtering is not easy, you need really to figure out how many spam and how many legitimate mail youre blocking. if thats ok for you to block 1-5 good ppl and 10-50 bad ppl, do it :)

Well, I got less than 10% noise in my usual mail traffic (see above), but I agree with you, anti-spam isn't kids play, at least not if you want to tune things finely and not just raise some block-all-and-log walls.

...

Junk mail is war. RFCs do not apply.

:) Yep. That's why I act against some RFCs and also block mails with empty sender lines. Which is much fun for recipients of certain, uh, "leisure-oriented" spare-time list mails (Horoscopes, party tips, news flashes, erotica, you know the score...). Boris Lorenz ---

Sven Michels

10:54

New subject: [suse-security] is rejecting SMTP traf from unresolv hosts l

Aloha :) Boris Lorenz wrote:

...

...
thats also my point of view, but if you're in a business, you can't deal this way. Your Customers NEED to contact you. Many of them are not able to configure DNS the right way. So if you block them, you'll never get their money ;)

Agreed! LOL :) ;-) ... all you need is .. lo aeh money ;-)

...

...
good. that can also be done by a script. the problem is that many domain admins aren't agree with you :( Things like: 'your mailsetup is broken, the sender domain exists and has a/mx records.' are the most used respons ;)

Oh yeah, I have enough of mails like this in my archives... I often found myself in the mids of heated debates about the domain name system with some ppl (admins?), although I don't see any argueable parts in it.

maybe they'll learn someday .. never give up hope :)

...

Perhaps I should change from Aspirine to Prozac.

drugs are not the right way! (but some things looks funnier with it ;)

...

...
Spam filtering is not easy, you need really to figure out how many spam and how many legitimate mail youre blocking. if thats ok for you to block 1-5 good ppl and 10-50 bad ppl, do it :)

Well, I got less than 10% noise in my usual mail traffic (see above), but I agree with you, anti-spam isn't kids play, at least not if you want to tune things finely and not just raise some block-all-and-log walls.

right. if you first block all you become and aministration nightmare and angry ppl all around. The important point is to figure out what you need and how you can deal with reality and your needs :)

...

...
Junk mail is war. RFCs do not apply.

:) Yep. That's why I act against some RFCs and also block mails with empty sender lines. Which is much fun for recipients of certain, uh, "leisure-oriented" spare-time list mails (Horoscopes, party tips, news flashes, erotica, you know the score...).

MAIL FROM:<> is _NO_ reason for passing anti spam restrictions ;) maybe, in a world where every admin know what he's doing and all ppl would be able to configure there MUA / MTA / DNS etc. correctly we don't have spam anymore :) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

8206

Age (days ago)

8207

Last active (days ago)

List overview

Download

7 comments

5 participants

participants (5)

Boris Lorenz
Gerhard Sittig
lars＠newsone.org
Sven Michels
Togan Muftuoglu