SMTP DNS authorization
I have proposed before that an SMTP server should reasonably require
two things of an SMTP client's DNS records:
1) reverse PTR
2) forward MX containing the hostname from the PTR lookup
or a hostname pointing to the SMTP server's IP address.
3) if none exists, then strip one part off the LHS of the name and
try again until you've tried a name with only two parts.
I'm going to start calling it "SMTP DNS Authorization", aka SDA.
This has been shot down as being too radical. Is there anybody who
isn't radical enough these days? This requirement would stop open
proxies running on client machines, and trojaned client machines dead
in their tracks. SDA doesn't limit anybody from sending email, it
just requires a declaration in the DNS that says "Yeah, we really
*did* mean to run an SMTP client on this machine".
Note that this is not designated sender, which stops forgeries.
Designated sender works off the hostname of the envelope sender. SDA
works off the hostname that comes from the reverse DNS entry belonging
to the IP address of the SMTP client.
Yes, I'm aware that a significant number of hosts don't even have
reverse DNS. Tough. 'bout time we threw the lamers off the net. If
you can't be bothered to set up at least reverse DNS, I don't want
your email. I really don't. Not at all.
How do we get there from here? In two stages. First, we require
reverse DNS. Second, we require SDA. Not by outright binary blocking
of email, but by applying a sanction to caught emails. Bounce them
back between the hours of 10AM and 11AM. Temporarily defer
connections from these machines for the first 24 hours since you first
heard from them. Deliver the email, but send a whine-o-gram to the
DNS admin given in the SOA record, or to the sender. Tag the email as
"Possible Spam". Increase the weight applied to a lack of reverse DNS
in SpamAssassin.
Let's look at some spam entries:
[root@ns root]# dig -x 62.195.91.228
228.91.195.62.in-addr.arpa. 69858 PTR node-d-5be4.a2000.nl.
[root@ns root]# dig mx node-d-5be4.a2000.nl
no MX record. blocked.
[root@ns root]# dig -x 194.217.242.80
80.242.217.194.in-addr.arpa. 900 PTR anchor-post-39.mail.demon.net.
[root@ns root]# dig mx anchor-post-39.mail.demon.net
no MX record. blocked.
[root@ns root]# dig -x 80.57.64.154
no reverse DNS. blocked.
[root@ns root]# dig -x 202.108.255.198
no reverse DNS. blocked.
[root@ns root]# dig -x 202.71.232.178
178.232.71.202.in-addr.arpa. 33328 PTR vp232178.static.uac1.hknet.com.
[root@ns root]# dig mx vp232178.static.uac1.hknet.com
no MX record. blocked.
[root@ns root]# dig -x 61.241.122.213
no reverse DNS. blocked.
[root@ns root]# dig -x 80.88.131.235
no reverse DNS. blocked.
Russell Nelson
Last modified: Mon May 19 15:04:25 EDT 2003