Re: [Asrg] What are the IPs that sends mail for a domain?

Rich Kulawiec <rsk@gsp.org> Fri, 19 June 2009 17:54 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F37FD3A6A61 for <asrg@core3.amsl.com>; Fri, 19 Jun 2009 10:54:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qyw9zGoptGlH for <asrg@core3.amsl.com>; Fri, 19 Jun 2009 10:54:11 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by core3.amsl.com (Postfix) with ESMTP id 037A13A6A58 for <asrg@irtf.org>; Fri, 19 Jun 2009 10:54:10 -0700 (PDT)
Received: from squonk.gsp.org (bltmd-207.114.17.162.dsl.charm.net [207.114.17.162]) by taos.firemountain.net (8.14.1/8.14.1) with ESMTP id n5JHsMRn015697 for <asrg@irtf.org>; Fri, 19 Jun 2009 13:54:23 -0400 (EDT)
Received: from avatar.gsp.org (avatar.gsp.org [192.168.0.11]) by squonk.gsp.org (8.14.1/8.14.1) with ESMTP id n5JHo1Ft009832 for <asrg@irtf.org>; Fri, 19 Jun 2009 13:50:02 -0400 (EDT)
Received: from avatar.gsp.org (localhost [127.0.0.1]) by avatar.gsp.org (8.14.3/8.14.3/Debian-4) with ESMTP id n5JHsGuo021689 for <asrg@irtf.org>; Fri, 19 Jun 2009 13:54:16 -0400
Received: (from rsk@localhost) by avatar.gsp.org (8.14.3/8.14.3/Submit) id n5JHsGvg021688 for asrg@irtf.org; Fri, 19 Jun 2009 13:54:16 -0400
Date: Fri, 19 Jun 2009 13:54:16 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20090619175416.GA21653@gsp.org>
References: <20090618214221.9359.qmail@simone.iecc.com> <200906182200.SAA05569@Sparkle.Rodents-Montreal.ORG>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200906182200.SAA05569@Sparkle.Rodents-Montreal.ORG>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2009 17:54:12 -0000

On Thu, Jun 18, 2009 at 05:57:03PM -0400, der Mouse wrote:
> > The problems were technical, putting records other than PTR in the
> > rDNS zone.  That's why Dave and I came up with CSV.
> 
> > Pretty please, read http://www.mipassoc.org/csv/ if you want to
> > continue this discussion.
> 
> Offhand, I don't see anything there that explains what's wrong with
> putting records other than PTR under an rDNS zone.  Certainly _some_
> non-PTR record types cause no problems, such as CNAME and zone cut
> administrative records like SOA and NS.  In short, I don't see what's
> wrong with XM from a technical standpoint.  What am I missing?

Let me see if I can find the archives of that discussion and produce
a synopsis.  (I don't want to misrepresent what John and/or Dave said
about it at the time.)

Meanwhile, let me say something about the intent -- as I had it in mind
when I brought it up.  I did so at the time that we were being increasingly
faced with zombie-originated spam, and were looking for ways to make it stop,
since clearly the irresponsible network operators hosting all those zombies
didn't treat it as an emergency requiring a whatever-it-takes committment.
(And most of them still don't, and yet have the audacity to whine when
they find their entire networks blacklisted out of exasperation that even
given YEARS to solve this urgent problem...they still haven't.)

Anyway, the point was not to make any assertion about who might be
sending mail or what domains it might be from or what might be in it:
just "this host sends mail or it doesn't".  Leaving XM=0 for acres
and acres of network space and checking for it on MX's would have the
effect of stopping zombie-direct-to-MX spam.  Of course it does nothing
for zombie-relayed-through-local-mail-system spam and nothing for all
the other nastiness zombies do: it was intended as a band-aid, no more.

Now...were I to advance this today (which I probably wouldn't given
that CSV is around) I'd suggest that it be done with forward DNS,
not reverse, and that it be checked IFF matching forward and reverse
DNS exist.  (Because if either doesn't exist or they don't match, that's
enough to reject on already.)

Anyway, let me go fish for the discussion-at-the-time and see if I can't
explain why my idea wasn't and probably still isn't a very good one.

---Rsk