You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dianne Skoll <df...@roaringpenguin.com> on 2016/05/15 13:51:56 UTC
TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
On Sun, 15 May 2016 13:25:34 +0200
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> Note that the TTL is 3600 for both reverse and forward records.
> There are blacklists that won'd delist your IP if your TTL is this
> short, e.g. sorbs requirs at least 14400.
What, really? What's the rationale for that requirement? That a short
TTL is "too dynamic"?
That seems a little aggressive, IMO.
Regards,
Dianne.
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Tue, 17 May 2016 21:42:15 +0200
Reindl Harald <h....@thelounge.net> wrote:
> discuss that with the pople of SOBRS
Aren't we just a ray of fucking sunshine?
Luckily, I have http://search.cpan.org/~dskoll/Mail-ThreadKiller/
to help me out.
Regards,
Dianne.
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Reindl Harald <h....@thelounge.net>.
Am 17.05.2016 um 20:19 schrieb Dianne Skoll:
> On Tue, 17 May 2016 18:50:29 +0200
> Reindl Harald <h....@thelounge.net> wrote:
>
>>>> NOBODY is talking about BACKLIST short TTL
>>>> it's all about de-listing when you got blacklisted for good reasons
>
>>> IMO, the TTL is a completely irrelevant factor when considering
>>> whether or not to blacklist an IP. I do not believe there's any
>>> correlation between TTL and reputation of an IP address
>
>> interesting that you quoted me where i said *exactly the same*
>
> I worded my response incorrectly. I meant to say:
then you responded to the wrong mail
> TTL should be a completely irrelevant factor when considering whether
> or not to de-list an IP. After all, if it's not relevant for putting
> an IP on a list, how is it possibly relevant for taking it off the
> list?
discuss that with the pople of SOBRS
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Tue, 17 May 2016 18:50:29 +0200
Reindl Harald <h....@thelounge.net> wrote:
> >> NOBODY is talking about BACKLIST short TTL
> >> it's all about de-listing when you got blacklisted for good reasons
> > IMO, the TTL is a completely irrelevant factor when considering
> > whether or not to blacklist an IP. I do not believe there's any
> > correlation between TTL and reputation of an IP address
> interesting that you quoted me where i said *exactly the same*
I worded my response incorrectly. I meant to say:
TTL should be a completely irrelevant factor when considering whether
or not to de-list an IP. After all, if it's not relevant for putting
an IP on a list, how is it possibly relevant for taking it off the
list?
Regards,
Dianne.
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Reindl Harald <h....@thelounge.net>.
Am 17.05.2016 um 17:25 schrieb Dianne Skoll:
> On Tue, 17 May 2016 17:14:37 +0200
> Reindl Harald <h....@thelounge.net> wrote:
>
>> NOBODY is talking about BACKLIST short TTL
>> it's all about de-listing when you got blacklisted for good reasons
>
> IMO, the TTL is a completely irrelevant factor when considering whether
> or not to blacklist an IP. I do not believe there's any correlation
> between TTL and reputation of an IP address
interesting that you quoted me where i said *exactly the same*
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Tue, 17 May 2016 17:14:37 +0200
Reindl Harald <h....@thelounge.net> wrote:
> NOBODY is talking about BACKLIST short TTL
> it's all about de-listing when you got blacklisted for good reasons
IMO, the TTL is a completely irrelevant factor when considering whether
or not to blacklist an IP. I do not believe there's any correlation
between TTL and reputation of an IP address.
Regards,
Dianne.
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Reindl Harald <h....@thelounge.net>.
Am 16.05.2016 um 16:24 schrieb jdebert:
> On Mon, 16 May 2016 12:25:10 +0100
> Dominic Benson <do...@lenny.cus.org> wrote:
>
>>> Accepting that not all ISPs are as helpful as they might be, I can't
>> easily think of a legitimate reason for needing the TTL on the PTR of
>> a mail server to be small, so if a blacklist operator finds it an
>> effective way to manage request volume then that doesn't seem
>> unreasonable.
>
> Aren't short TTL's also indicative of load balancing and
> "cloud" systems? If this is truly the case it would seem a legitimate
> practice which makes blacklisting short TTL seems quite unreasonable
NOBODY is talking about BACKLIST short TTL
it's all about de-listing when you got blacklisted for good reasons
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 16 May 2016, at 10:24, jdebert wrote:
> On Mon, 16 May 2016 12:25:10 +0100
> Dominic Benson <do...@lenny.cus.org> wrote:
>
>>> Accepting that not all ISPs are as helpful as they might be, I can't
>> easily think of a legitimate reason for needing the TTL on the PTR of
>> a mail server to be small, so if a blacklist operator finds it an
>> effective way to manage request volume then that doesn't seem
>> unreasonable.
>>
>
> Aren't short TTL's also indicative of load balancing and
> "cloud" systems? If this is truly the case it would seem a legitimate
> practice which makes blacklisting short TTL seems quite unreasonable.
Short TTLs are an indispensable feature of DNS-based load balancing for
email servers, but only on the MX and (sometimes) A records. Short TTLs
on PTR records are not operationally significant because no widely used
standardized protocol depends on PTRs technically. It is possible to get
decent load balancing out of just having multiple short-TTL MX records
of the same weight that never actually change, if you have a DNS server
that randomizes the order of the records it sends in answers so that
senders try them in randomized order (usually...)
"Cloud system" is such a vaguely defined phrase (fitting, I guess...)
that I expect something that someone slaps that label on relies on short
"forward" TTLs, but again there's no concrete reason to make PTRs
short-lived because essentially nothing uses them them. Also, the only
point of short TTLs for cloud systems would be to allow for dynamic IP
assignment, making them entirely reasonable for listing on blacklists of
dynamically assigned IPs.
> ISTR that this is an ancient topic and there should be plenty of
> archived discussion. (No, I won't research it for you. Sorry.)
It's been discussed in various fora for about 17 years, starting around
when Gordon Fecyk started his DUL DNSBL. As a practical matter, default
TTLs have dropped over time because the reliability of the Internet has
gotten much better and the computers acting as nameservers much more
capable, while the nuisance level of having to reduce a 1-day TTL 2 days
in advance of a DNS change has remained constant.
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by jdebert <jd...@garlic.com>.
On Mon, 16 May 2016 12:25:10 +0100
Dominic Benson <do...@lenny.cus.org> wrote:
>> Accepting that not all ISPs are as helpful as they might be, I can't
> easily think of a legitimate reason for needing the TTL on the PTR of
> a mail server to be small, so if a blacklist operator finds it an
> effective way to manage request volume then that doesn't seem
> unreasonable.
>
Aren't short TTL's also indicative of load balancing and
"cloud" systems? If this is truly the case it would seem a legitimate
practice which makes blacklisting short TTL seems quite unreasonable.
ISTR that this is an ancient topic and there should be plenty of
archived discussion. (No, I won't research it for you. Sorry.)
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Dominic Benson <do...@lenny.cus.org>.
On 16/05/16 12:10, Dianne Skoll wrote:
> On Mon, 16 May 2016 09:12:54 +0200
> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>
>> short ttl's are more likely on abusers' DNS. good for refusing
>> delisting.
> I would love to see data on the correlation. I think it's pretty
> mild. A few random tests on consumer cable IPs reveals TTLs for the
> reverse DNS ranging from a couple of hours to a day. For example,
> 24.34.32.22 => c-24-34-32-22.hsd1.ma.comcast.net. has a TTL of two
> hours while 24.44.32.22 => ool-182c2016.dyn.optonline.net. has a TTL
> of a day.
>
> The reverse-DNS of our server, roaringpenguin.com, which we do not
> control has a TTL of only one hour:
>
> 70.38.112.54 => roaringpenguin.com
>
> but the A record going the other way has a TTL of 86400.
>
> Regards,
>
> Dianne.
I don't think that the purpose of the policy is really related to
dynamic IP PTRs, but rather to make it infeasible for a spammer to both
request delisting from blacklists and to cycle through domains while
maintaining FCRDNS.
As I recall, the comment was only about blacklist maintainer policies
regarding delist requests, not about treating low-TTL reverse zones as a
spam indicator in its own right.
Accepting that not all ISPs are as helpful as they might be, I can't
easily think of a legitimate reason for needing the TTL on the PTR of a
mail server to be small, so if a blacklist operator finds it an
effective way to manage request volume then that doesn't seem unreasonable.
Dominic
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Mon, 16 May 2016 09:12:54 +0200
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> short ttl's are more likely on abusers' DNS. good for refusing
> delisting.
I would love to see data on the correlation. I think it's pretty
mild. A few random tests on consumer cable IPs reveals TTLs for the
reverse DNS ranging from a couple of hours to a day. For example,
24.34.32.22 => c-24-34-32-22.hsd1.ma.comcast.net. has a TTL of two
hours while 24.44.32.22 => ool-182c2016.dyn.optonline.net. has a TTL
of a day.
The reverse-DNS of our server, roaringpenguin.com, which we do not
control has a TTL of only one hour:
70.38.112.54 => roaringpenguin.com
but the A record going the other way has a TTL of 86400.
Regards,
Dianne.
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>> >That seems a little aggressive, IMO.
>On Sun, 15 May 2016 18:08:31 +0200
>Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>> I don't think so. If you have a mail server, you don't change its DNS
>> records very often.
On 15.05.16 20:47, Dianne Skoll wrote:
>Maybe, but the TTL on the DNS records has nothing to do with whether or
>not an address is part of a dynamic pool. I mean, you could give your
>dynamic addresses names that never change and set a TTL of a week, which
>wouldn't make the assignment of those addresses to customers any less
>dynamic.
short ttl's are more likely on abusers' DNS. good for refusing delisting.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Sun, 15 May 2016 18:08:31 +0200
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> >That seems a little aggressive, IMO.
> I don't think so. If you have a mail server, you don't change its DNS
> records very often.
Maybe, but the TTL on the DNS records has nothing to do with whether or
not an address is part of a dynamic pool. I mean, you could give your
dynamic addresses names that never change and set a TTL of a week, which
wouldn't make the assignment of those addresses to customers any less
dynamic.
Regards,
Dianne.
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Sun, 15 May 2016 13:25:34 +0200
>Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>> Note that the TTL is 3600 for both reverse and forward records.
>> There are blacklists that won'd delist your IP if your TTL is this
>> short, e.g. sorbs requirs at least 14400.
On 15.05.16 09:51, Dianne Skoll wrote:
>What, really? What's the rationale for that requirement? That a short
>TTL is "too dynamic"?
I guess they consider it suspect, if you can easily change it that many
times a day.
>That seems a little aggressive, IMO.
I don't think so. If you have a mail server, you don't change its DNS
records very often.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Reindl Harald <h....@thelounge.net>.
Am 16.05.2016 um 02:26 schrieb Bill Cole:
> On 15 May 2016, at 9:51, Dianne Skoll wrote:
>
>> On Sun, 15 May 2016 13:25:34 +0200
>> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>>
>>> Note that the TTL is 3600 for both reverse and forward records.
>>> There are blacklists that won'd delist your IP if your TTL is this
>>> short, e.g. sorbs requirs at least 14400.
>
> According to http://www.sorbs.net/delisting/dul.shtml:
>
> Also, the Times to Live of the PTR records need to be 43200
> seconds or more. This is an arbitrary limit chosen by SORBS.
>
>> What, really? What's the rationale for that requirement? That a short
>> TTL is "too dynamic"?
>>
>> That seems a little aggressive, IMO.
>
> It's also VERY unevenly enforced. Amazon SES and Office365/Outlook.com
> outbounds emit substantial spam, have names that embed their last 1 or 2
> octets, and PTR TTL's of 900 and 3600 respectively. The MS sewer outlets
> HELO with names that resolve to IPs other than those they actually use,
> and the PTR on the IPs used typically resolve to a names with a zero
> TTL. SORBS will list these as spam sources but not as dynamic, so
> there's clearly some subjective judgment in use
easy to understand - the "dul.dnsbl.sorbs.net" is much heigher weighted
in most setups - here it has a postscreen-reject-score and a host there
needds to be on a least one common DNSWL to have any chance
well, and they are not dynamic machines - the distinction is not only
dynamic - the point is ENDUSER-MACHINE which has not point to connect to
a public MX at all (independent of how often the word static appear in
the PTR, a office-machine is not a mailserver and has no business on
port 25) versus a server
Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 15 May 2016, at 9:51, Dianne Skoll wrote:
> On Sun, 15 May 2016 13:25:34 +0200
> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>
>> Note that the TTL is 3600 for both reverse and forward records.
>> There are blacklists that won'd delist your IP if your TTL is this
>> short, e.g. sorbs requirs at least 14400.
According to http://www.sorbs.net/delisting/dul.shtml:
Also, the Times to Live of the PTR records need to be 43200
seconds or more. This is an arbitrary limit chosen by SORBS.
> What, really? What's the rationale for that requirement? That a
> short
> TTL is "too dynamic"?
>
> That seems a little aggressive, IMO.
It's also VERY unevenly enforced. Amazon SES and Office365/Outlook.com
outbounds emit substantial spam, have names that embed their last 1 or 2
octets, and PTR TTL's of 900 and 3600 respectively. The MS sewer outlets
HELO with names that resolve to IPs other than those they actually use,
and the PTR on the IPs used typically resolve to a names with a zero
TTL. SORBS will list these as spam sources but not as dynamic, so
there's clearly some subjective judgment in use.