Security Basics mailing list archives
Re: educating rDNS violators
From: Derek Schaible <dschaible () cssiinc com>
Date: Fri, 27 Aug 2004 06:46:18 -0400
On Thu, 2004-08-26 at 03:03, Niek wrote:
On 8/25/2004 1:08 PM +0200, Derek Schaible wrote:on their DSL or cable modem. Such hosts will typically not have a valid rDNS entry. Additionally, if a company is sending legitimate email theyIn my experience almost all 'western' isps have rdns set on their customer broadband/dialup ipranges. Sometimes an isp was assigned a new block, it can take a while, but it usually gets in place. Rdns is however missing on the majority of Asian ipblocks. I block China, Korea, and a few other countries with dns blacklists. 90% of the blocked Asian ips do not have (valid) rdns. Names of smtp servers will still be spoofed even if rdns is in place. Only something like caller-id/sender-id/spf/domainkeys/'something better than before mentioned' solutions will help cut it down a bit. Moral of this all. If you decide to block hosts with missing or incorrect rdns, you will loose mail. Period. If you decide to block hosts with missing or incorrect rnds, you will still receive spam. Period.
I disagree and I think we are missing the fact that this is a "security basics" lists. One basic step you can take to secure your email communications is to implement rDNS lookups. This is by and large a standard practice advocated on many other lists, qmail lists certainly do. We are here to provide new comers to security with "basic" steps and information. Setting up rDNS for your email is one we should be advocating, not excusing. If you are in some bizarre situation where this is not possible, we should be telling people to pressure their ISPs to provide them with an SMTP relay that has proper rDNS info. Even if you want to run your server with no rDNS - do so, but use that rDNS friendly relay and the world will get your mail - its too simple to excuse not doing it. If your ISP is unwilling to take this step, I'd be very concerned about what other simple, "_basic_" security measures they are too lazy to implement for their customers. Let's not advocate excusing it, let's advocate fixing it. This thread is also about "education", remember. Not only does implementing rDNS filtering at your site reduce spam, but it will also reduce other malicious, mail-born attacks. You can't tell me otherwise. Personal experience showed me an 80% or higher success rate of dropping spam/attacks from these ill-configured servers. I'm sure I'm not alone. As advice to those who are learning about security: rDNS does help verify you're who you say you are. It is a valid method for filtering mail. Is it perfect? No. None exists as of yet, but every step helps. You should look into properly configuring DNS for many reasons, not just spam and other email concerns. You should aid your clients to do so as well. You should use an SMTP relay that resolves its name in rDNS if one is not available at your site. If you don't take these steps, don't complain that some sites summarily drop your mail. It's their prerogative. Personally, at my location we have zero complaints of loosing legitimate mail due to rDNS. I've lost legitimate email because a client was erroneously placed on a blackhole list. I'm not about to advocate dropping RBLs. I've lost legitimate mail through commercial spam filter products. You work with it, you deal with it. As security professionals, it is our job to do so and advocate smart security measures. rDNS should not be left off that list. -- Derek Schaible <dschaible () cssiinc com> CSSI, Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- educating rDNS violators SMiller (Aug 23)
- Re: educating rDNS violators token (Aug 24)
- Re: educating rDNS violators Derek Schaible (Aug 25)
- Message not available
- Re: educating rDNS violators Derek Schaible (Aug 25)
- RE: educating rDNS violators David Gillett (Aug 26)
- Re: educating rDNS violators token (Aug 26)
- RE: educating rDNS violators David Gillett (Aug 30)
- Re: educating rDNS violators Derek Schaible (Aug 25)
- Re: educating rDNS violators token (Aug 24)
- Re: educating rDNS violators Niek (Aug 26)
- Re: educating rDNS violators Derek Schaible (Aug 30)
- Re: educating rDNS violators James Kelly (Aug 25)
- Re: educating rDNS violators Bryan S. Sampsel (Aug 25)
- Re: educating rDNS violators SMiller (Aug 26)
- Re: educating rDNS violators Derek Schaible (Aug 25)
- Re: educating rDNS violators Mark Reis (Aug 28)
- Re: educating rDNS violators Derek Schaible (Aug 30)
- Re: educating rDNS violators Bryan S. Sampsel (Aug 30)
- <Possible follow-ups>
- Re: educating rDNS violators Eric Brown (Aug 24)