 |  |
Re: reverse DNS questions
From: Len Conrad
Date: Friday, September 5, 2003
Time: 2:57:32 am
>Their reasoning...partially; their actions...no.
>
>They claim that they want to block smtp transactions from so-called
>"residential" DSL lines. (whether thy have static IP blocks or not), but
>what their lazy admins are really doing is labelling as "residential" and
>then blocking _ALL_ SBC DSL IP blocks if they do not have an rdns
>suggesting they are being used by a business.
A legit mail server on a subscriber network, while maintaining full control
over the mail server's administration, can relay its outbound through its
provider's SMTP gateway, through the businesses' own web server, or through
a partner/commercial site.
The issue is very clear. If someone came to you and said: "I have solution
for you that will fix your horrible problem (of millions of inbound spam
and joejob msgs per day), with 99.99% accuracy", what would you do? AOL
and RR have decided to do it, and, like anybody who blocks subscriber
networks, are reaping huge benefits. As more and more MXs block subscriber
networks, this policy will become a de facto law, just like AOL requiring
senders to have PTR records has become law for anybody wanting to send to AOL.
The results for subscriber network blocking give this qty of rejects
compared to other type of rejects:
2845 DNS no A/MX for @sender.domain
3386 RBL spamdomains.blackholes.easynet.nl
3714 ACL PTR and HELO hostnames mismatch (forged)!
4050 ACL helo hostname contains an IP
6463 ACL SAV: unverifiable sender address
7974 ACL forged major ISP sender domain
11331 ACL RAV: undeliverable recipient address
11615 ACL forged freemail sender domain
13729 ACL mta_clients_dict
13981 ACL mta_clients_subscriber network <<<<<<<<
17890 SMTP Exceeded Hard Error Limit after DATA
20233 SMTP Exceeded Hard Error Limit after RCPT
22508 ACL mta_clients_bw
=======================
156075 TOTAL rejects for 4 Sep.
But those reject numbers need to be compared with legit mail. This ISP
receives,in totality, this qty of msgs from all the AOL MXs in the same day:
%zegrep -ic "nqmgr.*aol\.com" /var/log/maillog.0.gz
497
btw, while we are this issue DNS + mail, here are the "best practices" for
DNS support of your outgoing email:
1. The MTA sending outbound mail must have a PTR record of a fully
qualified domain name. At a minimum, this PTR domain must have an A record.
2. optionally, the PTR RDATA domain name should have an A record that
matches the IP address.
3. the MTA's HELO hostname must be a fully qualified domain name that has
either A or MX records.
4. optionally, the domain of the the HELO hostname should be in the same
domain as the PTR RDATA domain name. eg:
AOL says HELO with whatever.aol.com
... while the IP of the sending IP saying HELO is also in the same domain:
imo-m05.mx.aol.com
5. The envelope @sender.domain (aka ESD) must be fully qualified and have A
and/or MX records.
6. The sender@sender.domain must have an MX for @sender.domain that accepts
mail sent to sender@sender.domain (to accept bounces, as per RFC).
Len
Messages In This Thread:
Return to Digital Point Solutions' Home Page
| home | |
| products | |
| services | |
| support | |
| email lists |
| optigold isp | |
| optigold isp news | |
| home inspection | |
| inspectrix | |
| java companion | |
| oracle | |
| quickdns pro | |
| search engine | |
| veterinary |
| tips | |
| employees | |
| free tools | |
| portfolio | |
| jobs | |
| contact |
888/4-DPOINTSupport:
858/452-3696