Giampaolo Tomassoni wrote:
But... this is automaticly enforced by most ISPs. What's the meaning of this?!?
Suppose I have this in my virtual domain yoyodine.com:
@ MX 10 mta.yoyodine.com.
mta A 1.2.3.4
When my MTA connects to your, your see that I'm connecting from 1.2.3.4, issues
a DNS PTR request 4.3.2.1.in-addr.arpa. and obtains, say, c4-l3-t2.isp.net.
Then, if your MTA issues a DNS A request
for c4-l3-t2.isp.net and my ISP is not that bad (i.e.: it follows your guidelines), your
MTA should get a 1.2.3.4 reply. Your MTA ends saing "Ok".
If the client's ISP is not rfc-1912-conformant, your MTA says: "Bad".
So, what's the purpose of this? Penalize people who got a rfc-1912
non-conforming ISP?
It is my observation that the messages which come from an immediately
relay that:
A) does not have a PTR record, or
B) has forged DNS (PTR record doesn't lead to an A record which resolves
back to the SMTP client's IP address), or
C) has a hostname that appears to be an end-client of some other network
than my own (contains its own IP addr in the hostname, contains words
like "dynamic", "dsl", "dial-up", etc.)
are generating spam. The reason is: they're spam/virus -bots that
spewing infection at every mail server to which they can get a
connection. I have yet to come across an exception to my observation
(for my own experience). I have been compiling this observation for 2
years, and practicing it on my home server for 15 months. I plan to put
it into production at work in 3 months.
Enforcing the RFC 1912 guideline, in a strict interpretation, supports A
and B. If the SMTP client passes A and B, I can then comfortably use
that hostname for the check in C.
In order to exempt my own legitimate users, I skip the check if they're
on my IP block OR if they do SMTP-AUTH.
The one thing I'm thinking about changing is, at home I _reject_
messages that fail these checks (using filter_sender in mimedefang).
I'm thinking that, for the production systems at work, just to cover
that incredibly small percentage of people who can't or wont use their
ISP's mail server or do SMTP-AUTH, I'll merely quarantines their
messages, via spam assassin score, instead of rejecting them.
Thus my interest in moving this to SA rules and/or plugin.
