Final Words on "Educating RDNS violators" - Debunking the Myth's

[LordInfidel () directionweb com]

There has been many a discussion on this list about RDNS relating to the
security of mail servers.  This is an attempt to dispel the myth's that have
sprung up from this thread.

First off, the use of RDNS boils down to the prevention of spam.  Very few
valid reasons for the use of RDNS and SMTP communication exists, and general
security is not among those reasons.  This (spam prevention) is the main
reason why the developers of MTA products include it in their respective
packages(exchange, procmail, qmail, sendmail, postfix).

With that said, I urge ~ALL~ readers of this list, regardless of whether you
are pro RDNS or con RDNS. Read the RFC's that govern e-mail transmissions;
RFC821 and RFC822, (superseded by 2822 and 2821), so that you can make a
well informed decision on whether or not to implement RDNS.

http://www.faqs.org/rfcs/rfc2821.html; http://www.faqs.org/rfcs/rfc2822.html

Readers should pay Particular attention to
http://www.faqs.org/rfcs/rfc2821.html Section 7.  Section 7 covers "Security
Considerations" regarding electronic mail transmissions.  Additional focus
should be turned to 7.7, as it sums up the use of Mail Servers better then I
could paraphrase it.

Additionally the policy of rejecting e-mail for any reason is covered in
Section 5.2.5 of rfc1123, which, as I stated in a previous e-mail, covers
this quite explicitly.  Rejecting mail based on RDNS (aka the failure to
verify a mail servers identity) ~~~***VIOLATES***~~~ the RFC:
http://www.faqs.org/rfcs/rfc1123.html

Conclusion
----------
The architects of SMTP have made a clear statement on how SMTP transmissions
should be conducted in order for the internet to operate freely.  They
acknowledge a site owners right to block traffic as they wish, but they do
not condone such actions as it blocks the spirit and intent of the flow of
communication.


My Soapbox- if you care to listen to my spewage
-----------------------------------------------
When exploring security, I urge the readers of this list not to blindly
accept answers posted by anyone without first fully investigating the
affects of their recommendations.  If an answer that you are giving can not
be verified by a known published valid security related resource, then state
that it is just your opinion, don't present it has a hard fact.

Including references to your answers, be it a book or a url, benefits
everyone and stops the spread of mis-information.  This list, after all, is
meant for educating.

Spam is a nuisance and there is a legitimate need to stop it.  Implementing
RDNS is not the answer, at least not yet.  I say not yet, because it
requires *ALL* ISP's, globally, to allow their customers to register
their(isp customer) mail servers IP address into RDNS, regardless if you are
a home dsl/cable user or a business, for it to work.

~Basically, Anyone with a static IP should be allowed to host a SMTP server
~AND~ register their IP into RDNS.  But that is just my opinion.  Others
such as the creators of the DUL (dial-up users list) will tell you
otherwise.~

I'm not against using RDNS as a means to stopping spam or even as a means of
making sure a mail server is who it says it is.  But only if everyone who
wants to run a mail server has access to entering in their IP into RDNS.

But until that day arrives, a better method of preventing spam is thru the
use of the ordb (ordb.org). The ordb (or open-relay database), is a project
that is dedicated to closing Open-Relays.  An Open-Relay allows any
un-authenticated access to the SMTP server which in turn allows for
anonymous sending of e-mail.  Spammers prey on Open-Relays, which are most
of the time, just mis-configured mail servers.  These same mis-configured
mail servers are a threat to security since they can usually be easily take
over.  I prefer (and recommend to others) to limit your exposure to mail
servers which are open relays.  Again just my opinion.

The ordb, unlike spam black lists, have a simple requirement for removal;
stop being an open-relay.  Support and use the ordb, it is your friend (-;>.


----Additional basic reading for securing your mail servers, since you
already read this far------

1. At the bare min the vendor's checklist for the OS and MTA you are
deploying.
2. At a min, purchase and read "Hacking Exposed (3rd or 4th edition)"
3. Extra reading, Hacking Exposed Series on your OS of choice (linux, win2k,
server 2003, web apps)

LordInfidel

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------