You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jimmy Stewpot <ma...@oranged.to> on 2008/09/29 15:14:39 UTC

RDNS_NONE

Hi There,

I have recently been getting a huge increase in the number of emails 
which are being marked as spam. In those emails I see that the headers 
say RDNS_NONE. It seems that in most cases the remote servers in the 
header do in fact reverse resolve. I have checked randomly in about 30 
messages that have been marked in this way. Am I missing the point of 
RDNS_NONE as a rule? What is it meant to actually be doing?

Regards,

Jimmy

Re: RDNS_NONE

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 29.09.08 14:14, Jimmy Stewpot wrote:
> I have recently been getting a huge increase in the number of emails 
> which are being marked as spam. In those emails I see that the headers 
> say RDNS_NONE. It seems that in most cases the remote servers in the 
> header do in fact reverse resolve. I have checked randomly in about 30 
> messages that have been marked in this way. Am I missing the point of 
> RDNS_NONE as a rule? What is it meant to actually be doing?

not only IP must resolve to a name, but the name must resolve exactly to the
same IP (not even CNAME). Have you checked this?


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Re: RDNS_NONE

Posted by mouss <mo...@netoyen.net>.

Jimmy Stewpot wrote:
> Hi There,
> 
> I have recently been getting a huge increase in the number of emails 
> which are being marked as spam. In those emails I see that the headers 
> say RDNS_NONE. 

unless you modified the score, this is irrelevant. the default is

score RDNS_NONE             0.1

which won't make a ham become spam.

> It seems that in most cases the remote servers in the 
> header do in fact reverse resolve.

an rDNS must be "confirmed" or it is ignored. it goes as this:

- take the IP. get its PTR:
$ host 140.211.11.2
2.11.211.140.in-addr.arpa domain name pointer hermes.apache.org.

- take the returned name and resolve it

$ host  hermes.apache.org
hermes.apache.org has address 140.211.11.2

so it yields the original IP. which is what we want.

if you don't do this, anyone who manages DNS for an IP block can claim 
that his IP is foo.microsoft.com or bar.paypal.com.

if an IP returns multiple PTRs, that's multiple opportunities for 
trouble. not only the double resoultion must work for all the PTRs (only 
the first PTR is checked, but with round robin, any PTR may come first). 
  which is enough to avoid multiple PTRs (which are useless and are not 
needed for multi-homing).

> I have checked randomly in about 30 
> messages that have been marked in this way. Am I missing the point of 
> RDNS_NONE as a rule? What is it meant to actually be doing?

it means SA couldn't determine the rDNS from MTA Received headers.