Bill Taroli:
>I wind up blocking mail from people like that for an entirely different
>reason. Basic DNS checking against the HELO string to be sure it
>resolves to the IP address the connection's actually coming from.
There are a few different ways to do DNS checks. I haven't seen
this particular one suggested before.
The correct check is: fDNS(rDNS(IP)) == IP
However, this check doesn't actually do very much; it just ensures that
the IP address exists in the DNS system.
The typical broken check is: rDNS(fDNS(HELO)) == HELO
This is wrong for a number of reasons, the main one being that not everyone
has control of their reverse-DNS mapping.
And in this terminology, you're doing: fDNS(HELO) == IP
That's a little better than the broken version, since you're comparing
IP addresses. But it's still a bad idea to use HELO. For example,
what if the mail sender likes to masquerade as example.com even though
it is actually mail.example.com? If those two names have different
IP addresses, then your check will reject the connection.
Anyway, how many connections/day are you using this check on?
I find DNS checks to be fairly expensive due to how long they take,
on the average. Most of them return quickly but a substantial
minority go to a broken DNS server and take the full time-out period.
Because of this I use DNS-based anti-spam measures late in the
checking process, while it sounds like you are using this as your
first line of defense.
And finally, if you want to run a check on the HELO string, I find
that just rejecting outside connections that claim a HELO of your own
hostname gets rid of a very high proportion of crapmail. This
very simple check is successful enough that I'll probably publish
a "notme_milter" at some point after spfmilter gets out of beta status.
---
Jef
Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
