Security Basics mailing list archives
Final Words on "Educating RDNS violators" - Debunking the Myth's
From: LordInfidel () directionweb com
Date: Tue, 31 Aug 2004 17:38:56 -0400
There has been many a discussion on this list about RDNS relating to the security of mail servers. This is an attempt to dispel the myth's that have sprung up from this thread. First off, the use of RDNS boils down to the prevention of spam. Very few valid reasons for the use of RDNS and SMTP communication exists, and general security is not among those reasons. This (spam prevention) is the main reason why the developers of MTA products include it in their respective packages(exchange, procmail, qmail, sendmail, postfix). With that said, I urge ~ALL~ readers of this list, regardless of whether you are pro RDNS or con RDNS. Read the RFC's that govern e-mail transmissions; RFC821 and RFC822, (superseded by 2822 and 2821), so that you can make a well informed decision on whether or not to implement RDNS. http://www.faqs.org/rfcs/rfc2821.html; http://www.faqs.org/rfcs/rfc2822.html Readers should pay Particular attention to http://www.faqs.org/rfcs/rfc2821.html Section 7. Section 7 covers "Security Considerations" regarding electronic mail transmissions. Additional focus should be turned to 7.7, as it sums up the use of Mail Servers better then I could paraphrase it. Additionally the policy of rejecting e-mail for any reason is covered in Section 5.2.5 of rfc1123, which, as I stated in a previous e-mail, covers this quite explicitly. Rejecting mail based on RDNS (aka the failure to verify a mail servers identity) ~~~***VIOLATES***~~~ the RFC: http://www.faqs.org/rfcs/rfc1123.html Conclusion ---------- The architects of SMTP have made a clear statement on how SMTP transmissions should be conducted in order for the internet to operate freely. They acknowledge a site owners right to block traffic as they wish, but they do not condone such actions as it blocks the spirit and intent of the flow of communication. My Soapbox- if you care to listen to my spewage ----------------------------------------------- When exploring security, I urge the readers of this list not to blindly accept answers posted by anyone without first fully investigating the affects of their recommendations. If an answer that you are giving can not be verified by a known published valid security related resource, then state that it is just your opinion, don't present it has a hard fact. Including references to your answers, be it a book or a url, benefits everyone and stops the spread of mis-information. This list, after all, is meant for educating. Spam is a nuisance and there is a legitimate need to stop it. Implementing RDNS is not the answer, at least not yet. I say not yet, because it requires *ALL* ISP's, globally, to allow their customers to register their(isp customer) mail servers IP address into RDNS, regardless if you are a home dsl/cable user or a business, for it to work. ~Basically, Anyone with a static IP should be allowed to host a SMTP server ~AND~ register their IP into RDNS. But that is just my opinion. Others such as the creators of the DUL (dial-up users list) will tell you otherwise.~ I'm not against using RDNS as a means to stopping spam or even as a means of making sure a mail server is who it says it is. But only if everyone who wants to run a mail server has access to entering in their IP into RDNS. But until that day arrives, a better method of preventing spam is thru the use of the ordb (ordb.org). The ordb (or open-relay database), is a project that is dedicated to closing Open-Relays. An Open-Relay allows any un-authenticated access to the SMTP server which in turn allows for anonymous sending of e-mail. Spammers prey on Open-Relays, which are most of the time, just mis-configured mail servers. These same mis-configured mail servers are a threat to security since they can usually be easily take over. I prefer (and recommend to others) to limit your exposure to mail servers which are open relays. Again just my opinion. The ordb, unlike spam black lists, have a simple requirement for removal; stop being an open-relay. Support and use the ordb, it is your friend (-;>. ----Additional basic reading for securing your mail servers, since you already read this far------ 1. At the bare min the vendor's checklist for the OS and MTA you are deploying. 2. At a min, purchase and read "Hacking Exposed (3rd or 4th edition)" 3. Extra reading, Hacking Exposed Series on your OS of choice (linux, win2k, server 2003, web apps) LordInfidel --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- Final Words on "Educating RDNS violators" - Debunking the Myth's LordInfidel (Sep 02)
- Re: Final Words on "Educating RDNS violators" - Debunking the Myth's Derek Schaible (Sep 07)
- Re: Final Words on "Educating RDNS violators" - Debunking the Myth's Derek Schaible (Sep 08)
- <Possible follow-ups>
- RE: Final Words on "Educating RDNS violators" - Debunking the Myth's LordInfidel (Sep 08)
- RE: Final Words on "Educating RDNS violators" - Debunking the Myth's [?? Probable Spam] Derek Schaible (Sep 08)
- RE: Final Words on "Educating RDNS violators" - Debunking the Myth's David Gillett (Sep 10)
- Re: Final Words on "Educating RDNS violators" - Debunking the Myth's Gabriel Orozco (Sep 13)