You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Da...@ChaosReigns.com on 2010/10/30 04:02:56 UTC
Full circle DNS test?
I see there's a RDNS_NONE rule for when the sending IP address has no DNS
PTR (reverse DNS) record. But no rule for when that PTR record doesn't
have a matching A (forward DNS) record that matches the sending IP?
For example, if you get an email from me, and look up the IP:
64.71.152.40 -> chaosreigns.com
Then you can look up that host name and get:
chaosreigns.com -> 64.71.152.40
And if that IP didn't match the sending IP, it would fail this test.
Is this something that would be accepted into spamassassin if I created a
module? Or a feature that would be added if I didn't do it?
I block all email that doesn't pass this test at my MTA (postfix
reject_unknown_client_hostname), but I understand some people don't.
--
"It's a dangerous business, Frodo, going out your front door. You step
into the Road, and if you don't keep your feet, there is no knowing
where you might be swept off to." - Bilbo Baggins
http://www.ChaosReigns.com
Re: Full circle DNS test?
Posted by Jared Hall <jh...@tbi.net>.
RW wrote:
> On Fri, 29 Oct 2010 22:02:56 -0400
> Darxus@ChaosReigns.com wrote:
>
>
>> I see there's a RDNS_NONE rule for when the sending IP address has no
>> DNS PTR (reverse DNS) record. But no rule for when that PTR record
>> doesn't have a matching A (forward DNS) record that matches the
>> sending IP?
>>
>
> There's one in the optional Botnet plugin, there are a couple of
> problems with it though. Its rdns lookups aren't very efficient, and
> it doesn't work for IPv6.
>
>
Ah, Paranoid mode - most useful once upon a time. I can see cases where
this might still be useful; and it's certainly better to score than to
reject outright. That said, as others on this list suggest, this
probably will never make it into the native SA development effort.
RW is correct. The Botnet.pm plugin supports this for IP4 addresses via
the rule "BOTNET_BADDNS":
describe BOTNET_BADDNS Relay doesn't have full circle DNS
header BOTNET_BADDNS eval:botnet_baddns()
score BOTNET_BADDNS 0.0
Regards,
Jared Hall
Re: Full circle DNS test?
Posted by RW <rw...@googlemail.com>.
On Fri, 29 Oct 2010 22:02:56 -0400
Darxus@ChaosReigns.com wrote:
> I see there's a RDNS_NONE rule for when the sending IP address has no
> DNS PTR (reverse DNS) record. But no rule for when that PTR record
> doesn't have a matching A (forward DNS) record that matches the
> sending IP?
There's one in the optional Botnet plugin, there are a couple of
problems with it though. Its rdns lookups aren't very efficient, and
it doesn't work for IPv6.
Re: Full circle DNS test?
Posted by Cedric Knight <ce...@gn.apc.org>.
On 30/10/10 07:42, Henrik K wrote:
> On Fri, Oct 29, 2010 at 10:02:56PM -0400, Darxus@ChaosReigns.com wrote:
>> I see there's a RDNS_NONE rule for when the sending IP address has no DNS
>> PTR (reverse DNS) record. But no rule for when that PTR record doesn't
>> have a matching A (forward DNS) record that matches the sending IP?
>>
>> Is this something that would be accepted into spamassassin if I created a
>> module? Or a feature that would be added if I didn't do it?
>
> I doubt SA will incorporate it:
>
> http://marc.info/?l=spamassassin-users&m=122268554723430
>
> Make it if you need it. Share it if you want. People will use it if they
> find it useful.
For information, Postfix does a "full-circle" test of rDNS and puts
"unknown" in the Received headers if there is a PTR record, but the
value of that PTR record does not resolve, or if it resolves but does
not match. And since SpamAssassin examines the hostname from the
Received headers, an email from a (last untrusted) IP address with an
unverified rDNS will hit RDNS_NONE.
So for Postfix and sendmail, what Darxus is suggesting is already
happening.
For other MTAs this may be different. This means RDNS_NONE may be
assigned different scores from the scoring process, depending on whether
the email corpora checked have had no rDNS added to headers, had
unverified rDNS added, or only verified rDNS added. That inconsistency
could be an argument for creating a module. One other advantage of a
rDNS lookup module would be that having unverified rDNS available to
SpamAssassin separately could make it easy to write rules to catch an
unverified rDNS values of a type like dsl-189-180-xxx-xxx.
IMHO configuring Postfix to reject all email without verified rDNS (even
with a 450 temporary error) would result in wrongly bouncing a lot of
email from some organisational mail servers. By the way, another way of
doing this might be to put the line "smtp: PARANOID" into /etc/hosts.deny.
C
Re: Full circle DNS test?
Posted by Henrik K <he...@hege.li>.
On Fri, Oct 29, 2010 at 10:02:56PM -0400, Darxus@ChaosReigns.com wrote:
> I see there's a RDNS_NONE rule for when the sending IP address has no DNS
> PTR (reverse DNS) record. But no rule for when that PTR record doesn't
> have a matching A (forward DNS) record that matches the sending IP?
>
> Is this something that would be accepted into spamassassin if I created a
> module? Or a feature that would be added if I didn't do it?
I doubt SA will incorporate it:
http://marc.info/?l=spamassassin-users&m=122268554723430
Make it if you need it. Share it if you want. People will use it if they
find it useful.
Re: Full circle DNS test?
Posted by Joseph Brennan <br...@columbia.edu>.
Darxus@ChaosReigns.com wrote:
> I see there's a RDNS_NONE rule for when the sending IP address has no DNS
> PTR (reverse DNS) record. But no rule for when that PTR record doesn't
> have a matching A (forward DNS) record that matches the sending IP?
> Is this something that would be accepted into spamassassin if I created a
> module? Or a feature that would be added if I didn't do it?
There are legit mail servers with bad DNS. Not the big ISPs or hosting
companies, but small businesses and nonprofits sometimes get this wrong,
and in a few countries nonmatching records seem to be routine. We've
considered blocking for it, but we'd end up doing a lot of whitelisting
and interfering with mail that our users want.
It's worth scoring for, and RDNS_NONE already matches this case.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology