North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: is reverse dns required? (policy question)
on Wed, Dec 01, 2004 at 11:27:54AM -0600, Robert Hayden wrote: > > Besides, if customers "need" it to make their mail work, choosing not to > do it will be a good indication to your customers that another provider > might be more supportive. > > Basic non-custom reverse DNS on everything is a "good thing" to put in > place regardless. Just a quick note: it's not a BCP yet, but it's also considered /extremely/ friendly by mail admins and others, if you use a naming convention for your rDNS that is easily placed into access.db and other "right-anchored" string matching mechanisms. e.g., if you have a dynamically assigned DSL range, and want to assign rDNS to it based on the IP, 123-45-67-89.dsl.dyn.example.net is a lot easier to block via rudimentary mechanisms than dsl-dyn-123-45-67-89.example.net which requires regular expression support due to the way sendmail deals with periods in hostnames, etc. In the former example, I can just block all mail from '.dyn.example.net'. In the latter, I need to check the rDNS against a group of regular expressions for /every connection/ which is extremely slow, if effective. So, once you decide to provide rDNS across the board, and provide custom (or "non-generic") rDNS for statically assigned addresses, please also make sure that the naming convention you choose is consistent, friendly to antispam systems, and indicative of the assignment type and/or technology in use, to allow for more fine-tuned policy implementations. Some good actors with sensible naming conventions: personainc.net: all their dynamic hosts are in dyn.personainc.net eatel.net: static are in static.eatel.net, dynamic in dynamic.eatel.net sprint-hsd.net: static are in sta.sprint-hsd.net, dynamic in dyn.sprint-hsd.net or or dhcp.sprint-hsd.net Many others use 'dsl' or 'adsl' or 'cable' etc. as a "subdomain", which is helpful but often doesn't distinguish between static and dynamic at all; others use geographic locations which don't indicate anything useful from an antispam policy perspective. FWIW, 40% or more of the inbound spam mail here comes from hosts with a generic rDNS naming convention (even after DNSBLs and other obvious forgery checks such as hosts using my domain(s)/IP(s) in HELO/EHLO). We simply quarantine any mail from hosts without rDNS at all, and reject all mail from non-whitelisted generic hosts. -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!