Re: [Asrg] What are the IPs that sends mail for a domain?

der Mouse <mouse@Rodents-Montreal.ORG> Fri, 19 June 2009 12:33 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B5A43A6879 for <>; Fri, 19 Jun 2009 05:33:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.826
X-Spam-Status: No, score=-9.826 tagged_above=-999 required=5 tests=[AWL=0.162, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lvydgBdVOYcC for <>; Fri, 19 Jun 2009 05:33:51 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG []) by (Postfix) with ESMTP id 4FB3A3A6800 for <>; Fri, 19 Jun 2009 05:33:51 -0700 (PDT)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id IAA16882; Fri, 19 Jun 2009 08:33:48 -0400 (EDT)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <200906191233.IAA16882@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Fri, 19 Jun 2009 08:17:25 -0400 (EDT)
To: Anti-Spam Research Group - IRTF <>
In-Reply-To: <>
References: <> <>
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Jun 2009 12:33:52 -0000

>> The FQDN for a host is the host's FQDN.  As we've all noted, there's
>> lots of heuristics to guess domain names, none of which work.
> What about the other way around: given a domain and an IP address,
> can we say whether the IP address "is a member of" the domain?

We can.  We can also say the IP address and the domain live on the same
shelf in the supermarket, too; I'm not convinced either is a more
meaningful or useful statement than the other.

> Vhlo mentions the following three ways to determine that, without
> apparently resorting to heuristics.  I'm wondering how sound it is to
> rely on those, or similar, techniques.

If any of them results in a definition of "member of" that turns out to
be useful for whatever purpose you have in mind, sure.  I'm not sure
any of them does, but I'm also unclear on why you'd want this sort of
association between addresses and domains, so that doesn't mean much.

> * rDNS returns a name whose right part matches the domain name,
> * an MX record for the domain mentions a host with the given IP,
> * the IP address passes the SPF check for that domain.

One that's based on something designed for mail flowing to the domain;
one ditto for mail flowing from the domain; one that's based on
something not designed for mail at all.  Offhand, I'd guess that which
one is most appropriate depends on whether you're concerned with mail
flowing to the domain, mail flowing from the domain, or something other
than mail.

The things you list might be "without apparently resorting to
heuristics", and in a sense that's true, in that each one is
well-defined and has a mechanically testable definition. But that
doesn't keep them from being heuristics, depending on what you're using
them for.  Using MX records for anything other than determining what
host to connect to to deliver mail is, at best, a heuristic.  As is
each of the others, when used for anything other than its respective

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B