There was some discussion several years ago about issues with blocking
mail from MTAs whose IP address does not resolve via DNS. At that time
it was considered a bad idea to do that. However, with the volume of
spam continuing to grow, has there been any real change in that opinion?
I receive a lot of spam from IP addresses for which there is not DNS
entry. The cf file patches to do the blocking are at least one version,
if not more, old. I have no idea if they would work properly on the
current version or not. However, I have noticed that there is no mc
file option to do that blocking so I suspect that the community has not
really changed its view on the subject.

On Sun, 2 Sep 2007, Doug Hardie wrote:

>
> entry. The cf file patches to do the blocking are at least one version,
> if not more, old. I have no idea if they would work properly on the
> current version or not. However, I have noticed that there is no mc
> file option to do that blocking so I suspect that the community has not

HUH ?
How about you read the release notes for oh, lets say 8.14.0
its only about 9 months old now.

--

Cheers
Res

Doug Hardie <bc979 [at] lafn.org> writes:

> There was some discussion several years ago about issues with blocking
> mail from MTAs whose IP address does not resolve via DNS. At that time
> it was considered a bad idea to do that. However, with the volume of
> spam continuing to grow, has there been any real change in that
> opinion?
> I receive a lot of spam from IP addresses for which there is not DNS
> entry. The cf file patches to do the blocking are at least one version,
> if not more, old. I have no idea if they would work properly on the
> current version or not. However, I have noticed that there is no mc
> file option to do that blocking so I suspect that the community has not
> really changed its view on the subject.

See FEATURE(`require_rdns')

<quote src="RELEASE_NOTES">
8.14.0/8.14.0 2007/01/31
[...]
CONFIG: New FEATURE(`require_rdns') to reject messages from SMTP
clients whose IP address does not have proper reverse DNS.
Contributed by Neil Rickert of Northern Illinois University
and John Beck of Sun Microsystems.
</quote>

AFAIR It available as HACK at Neil's web site for older sendmail versions.

--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
Saints should always be judged guilty until they are proven innocent.
-- George Orwell

In article <Pine.LNX.4.64.0709021944050.2139 [at] ebfjryy.nhfvpf.arg>,
Res <res [at] ausics.net> wrote:

> On Sun, 2 Sep 2007, Doug Hardie wrote:
>
> >
> > entry. The cf file patches to do the blocking are at least one version,
> > if not more, old. I have no idea if they would work properly on the
> > current version or not. However, I have noticed that there is no mc
> > file option to do that blocking so I suspect that the community has not
>
> HUH ?
> How about you read the release notes for oh, lets say 8.14.0
> its only about 9 months old now.

Interesting. I never expected that FreeBSD has not updated to 8.14. I
just discovered its still at 8.13. No wonder I didn't find it.
However, given that the ability is there, is it still considered not a
good idea?

Doug Hardie wrote:
> Interesting. I never expected that FreeBSD has not updated to 8.14. I
> just discovered its still at 8.13. No wonder I didn't find it.

8.14.1 is in the ports.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 [at] fidonet http://vas.tomsk.ru/

On 9/2/2007 4:28 AM, Doug Hardie wrote:
> There was some discussion several years ago about issues with
> blocking mail from MTAs whose IP address does not resolve via DNS.
> At that time it was considered a bad idea to do that. However, with
> the volume of spam continuing to grow, has there been any real change
> in that opinion? I receive a lot of spam from IP addresses for which
> there is not DNS entry. The cf file patches to do the blocking are
> at least one version, if not more, old. I have no idea if they would
> work properly on the current version or not. However, I have noticed
> that there is no mc file option to do that blocking so I suspect that
> the community has not really changed its view on the subject.

As other posters have pointed out there is now an option built in to
8.14 to accomplish this.

As to whether or not this is a good idea, in short there is still a lot
of collateral damage for turning this filter on. There are a lot of
sites that for what ever reason, do not have reverse DNS set up for
their IP address range.

In short, there are a lot of other ways to reduce the amount of spam you
get with out as much collateral damage as this option.

Granted I agree with you that it should be safe to require reverse DNS.
I suppose that as long as you have a good white listing solution in
place, and you are willing to deal with support issues for issues then
go for it.

I would be willing to require reverse DNS on my personal server but not
on my company server yet.



Grant. . . .

On Sun, 2 Sep 2007, Doug Hardie wrote:

>
> In article <Pine.LNX.4.64.0709021944050.2139 [at] ebfjryy.nhfvpf.arg>,
> Res <res [at] ausics.net> wrote:
>
>> On Sun, 2 Sep 2007, Doug Hardie wrote:
>>
>>>
>>> entry. The cf file patches to do the blocking are at least one version,
>>> if not more, old. I have no idea if they would work properly on the
>>> current version or not. However, I have noticed that there is no mc
>>> file option to do that blocking so I suspect that the community has not
>>
>> HUH ?
>> How about you read the release notes for oh, lets say 8.14.0
>> its only about 9 months old now.
>
> Interesting. I never expected that FreeBSD has not updated to 8.14. I
> just discovered its still at 8.13. No wonder I didn't find it.
> However, given that the ability is there, is it still considered not a
> good idea?

It's used on many major networks now days in many countries, I understand
even AOL has enforced it now for over 2 years, most of us were using the
'hack' that has bene freely available for many years, the sendmail FEATURE
is essentially, that hack.



--

Cheers
Res

Doug Hardie <bc979 [at] lafn.org> wrote:
>
> Interesting. I never expected that FreeBSD has not updated to 8.14. I
> just discovered its still at 8.13. No wonder I didn't find it.

8.14.1 is included with FreeBSD 6-STABLE. Looks like it's been there
about four months now.

--
Warren Block * Rapid City, South Dakota * USA

Doug Hardie <bc979 [at] lafn.org> wrote:
> Interesting. I never expected that FreeBSD has not updated to 8.14. I
> just discovered its still at 8.13. No wonder I didn't find it.
> However, given that the ability is there, is it still considered not a
> good idea?

csup stable-supfile

HTH
Clemens.
--
/"\ http://czauner.onlineloop.com/
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \ AND POSTINGS

Doug Hardie <bc979 [at] lafn.org> writes in comp.mail.sendmail:

> There was some discussion several years ago about issues with blocking
> mail from MTAs whose IP address does not resolve via DNS. At that time
> it was considered a bad idea to do that. However, with the volume of
> spam continuing to grow, has there been any real change in that opinion?
> I receive a lot of spam from IP addresses for which there is not DNS
> entry. The cf file patches to do the blocking are at least one version,
> if not more, old. I have no idea if they would work properly on the
> current version or not. However, I have noticed that there is no mc
> file option to do that blocking so I suspect that the community has not
> really changed its view on the subject.

Blocking can probably do by just using ${client_resolve} macro.

doc/op/op.me:

${client_resolve}
Holds the result of the resolve call for
${client_name}. Possible values are:

OK resolved successfully
FAIL permanent lookup failure
FORGED forward lookup doesn¡Çt match reverse lookup
TEMP temporary lookup failure

Defined in the SMTP server only. sendmail per¡¾
forms a hostname lookup on the IP address of the
connecting client. Next the IP addresses of that
hostname are looked up. If the client IP address
does not appear in that list, then the hostname
is maybe forged. This is reflected as the value
FORGED for ${client_resolve} and it also shows up
in $_ as "(may be forged)".

/ Kari Hurtta

I enabled reverse dns requirement for a small 100-person corporate
account a year ago.

The collateral damage was insane, there were so many "quasi-
legitimate" senders.

We did POP3-before-SMTP relaying, and users with SmartPhone PDA's
could send/receive email. But most wireless carriers dont reverse, so
all those users couldn't send. Users at home had issues because alot
of broadband carriers dont reverse. Not to mention all the missing
incoming email from orgs that our incompetent regarding DNS.

Its a great rule, and it stops alot of spam, but its just not
feasible.

AOL can get away with it because they are big and can flex their
might. And since people want to send to AOL at any cost, they will
abide by AOL's rules.

"john [at] essenz.com" <john [at] essenz.com> writes:

> I enabled reverse dns requirement for a small 100-person corporate
> account a year ago.
>
> The collateral damage was insane, there were so many "quasi-
> legitimate" senders.
>
> We did POP3-before-SMTP relaying, and users with SmartPhone PDA's
> could send/receive email. But most wireless carriers dont reverse, so
> all those users couldn't send. Users at home had issues because alot
> of broadband carriers dont reverse. Not to mention all the missing
> incoming email from orgs that our incompetent regarding DNS.
>
> Its a great rule, and it stops alot of spam, but its just not
> feasible.
>
> AOL can get away with it because they are big and can flex their
> might. And since people want to send to AOL at any cost, they will
> abide by AOL's rules.

Have you used FEATURE(`delay_cheks')?
It should exclude users using SMTP AUTH from RDNS checks and
solve the kind of problems you mention.

--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
We apologize for the inconvenience, but we'd still like yout to test out
this kernel.
-- Linus Torvalds, announcing another kernel patch

On Sat, 8 Sep 2007, john [at] essenz.com wrote:

>
> I enabled reverse dns requirement for a small 100-person corporate
> account a year ago.
>
> The collateral damage was insane, there were so many "quasi-
> legitimate" senders.
>
> We did POP3-before-SMTP relaying, and users with SmartPhone PDA's
> could send/receive email. But most wireless carriers dont reverse, so
> all those users couldn't send. Users at home had issues because alot
> of broadband carriers dont reverse. Not to mention all the missing
> incoming email from orgs that our incompetent regarding DNS.
>
> Its a great rule, and it stops alot of spam, but its just not
> feasible.
>
> AOL can get away with it because they are big and can flex their
> might. And since people want to send to AOL at any cost, they will
> abide by AOL's rules.

So you suggest we continue to make our systems more vulnerable to spam and
abuse just because of someone elses incompetance?

Doesn't make sense to me.

>
>

--

Cheers
Res

On Sun, 02 Sep 2007 19:14:48 -0700, Doug Hardie <bc979 [at] lafn.org> wrote:
>In article <Pine.LNX.4.64.0709021944050.2139 [at] ebfjryy.nhfvpf.arg>,
>Res <res [at] ausics.net> wrote:
>>On Sun, 2 Sep 2007, Doug Hardie wrote:
>>> entry. The cf file patches to do the blocking are at least one version,
>>> if not more, old. I have no idea if they would work properly on the
>>> current version or not. However, I have noticed that there is no mc
>>> file option to do that blocking so I suspect that the community has not
>>
>> HUH ?
>> How about you read the release notes for oh, lets say 8.14.0
>> its only about 9 months old now.
>
> Interesting. I never expected that FreeBSD has not updated to 8.14.
> I just discovered its still at 8.13. No wonder I didn't find it.
> However, given that the ability is there, is it still considered not a
> good idea?

Are you _really_ sure?

Which version of FreeBSD are you using? Sendmail has been upgraded to
8.14.1 in the STABLE branch of FreeBSD some time ago.