Re: marking dynamic ranges, was fixing insecure email infrastructure

[Markus Stumpf <maex-lists-nanog () Space Net>]

On Tue, Jan 25, 2005 at 01:09:04PM +0530, Suresh Ramasubramanian wrote:
> On Mon, 24 Jan 2005 22:29:49 +0100, Markus Stumpf
> <maex-lists-nanog () space net> wrote:
> > If you look at your logfiles you will notice that > 95% of all legit
> > mailservers already have working and individual revDNS.
>
> I'll just point out that you are generalizing based on a case you see
> in your mailserver

I am generalizing on what I see from about 300 mailservers and about
1 million messages a day.

> I havent got the time to gather stats from our production clusters
> right now but a quick grep through the last week's logs on my personal
> colo (lots of ISPs in india mail it, some indian users - friends,
> family, large local linux lists - on it) .. I'd say that about 40% of
> my legitimate email comes from IPs that don't have rDNS let alone
> DNAME / MTAMARK.

How did you calculate that "40% of my legitimate email"?
If you get 60 emails from 60 different hosts that have revDNS and you
get 40 mails from two hosts without revDNS then also "40% of your
legitimate email" is coming from servers without revDNS, but in fact
the precentage of servers without revDNS would be around 3.2%. Quite
a difference.

> On our production boxes we get email from around the world for about
> 40 million users, and I just dont want to try blocking based on no
> reverse DNS there .. just not worth the amount of legitimate email
> traffic that gets filtered out.

On the mailserver for our company we had 2002 attempts to inject
messages for the last 17h30m from hosts without any revDNS.
-> 30 allowed, 2 of them non spam
-> 1982 rejected (badhelo (ip or name of local mailserver),
                not existing recipient, relaying denied, blocked
                due to prior spamming)
This makes a 0.1% non-spam rate.
888 unique hosts sending spam, 2 did not, 0.23% good servers without
revDNS.

yesterday:
2368 attempts from hosts without any revDNS
-> 2315 rejected
-> 53 allowed, 6 of them non spam (4 of them from the same sender)
This makes a 0.25% non-spam rate.
1044 unique hosts sending spam, 3 did not, 0.29% good servers without
revDNS.

As you can see, we don't filter out "no revDNS", too. But setting
MTAMARK records would give the admins of the receiving mailservers
a hint as how to classify the sending IP.

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"