IETF Logo Mail Archive

Re: [Asrg] seeking comments on new RMX article

Vernon Schryver <vjs@calcite.rhyolite.com> Tue, 06 May 2003 14:04 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA22167 for <asrg-archive@odin.ietf.org>; Tue, 6 May 2003 10:04:37 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h46ED7x26331 for asrg-archive@odin.ietf.org; Tue, 6 May 2003 10:13:07 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h46ED7826328 for <asrg-web-archive@optimus.ietf.org>; Tue, 6 May 2003 10:13:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA22110; Tue, 6 May 2003 10:04:07 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19D35A-00074j-00; Tue, 06 May 2003 10:06:12 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19D359-00074g-00; Tue, 06 May 2003 10:06:11 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h46EB6826242; Tue, 6 May 2003 10:11:06 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h46E8p826111 for <asrg@optimus.ietf.org>; Tue, 6 May 2003 10:08:51 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21839 for <asrg@ietf.org>; Tue, 6 May 2003 09:59:51 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19D311-00073C-00 for asrg@ietf.org; Tue, 06 May 2003 10:01:55 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19D310-000739-00 for asrg@ietf.org; Tue, 06 May 2003 10:01:55 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h46E2iMD004172 for asrg@ietf.org env-from <vjs>; Tue, 6 May 2003 08:02:44 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305061402.h46E2iMD004172@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: [Asrg] seeking comments on new RMX article
References: <aT5vaIe86J8qbrFBE02@x>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 06 May 2003 08:02:44 -0600

> From: Scott Nelson <scott@spamwolf.com>

> ...
> Reverse DNS is controlled by the IP.
> If they have an rDNS, you would do about as well by skipping
> the rDNS and using the HELO to do a forward look up.
> Of course, having rDNS is also a sign of clue, 
> and many spammers are lacking in that which makes the mere presence
> of rDNS a good test.

The RMX check as I understand it is intended to ask the people who own
the envelope sender domain name if the IP address of the SMTP client is
authorized to send mail with that sender name.  If the HELO value matches
the sender name, and if one of the IP addresses of the HELO value is that
of the SMTP client, then the SMTP client is authorized.

The reason to check reverse DNS name is to cover the case when the
SMTP client is authorized to send mail for more than one domain name.


> And I think it would have a better false positive rate /and/ a better 
> false negative rate then reverse DNS + envelope sender domain.
> Lots of spam has forged headers and envelopes.  Some spam even
> has forged rDNS.  Both would catch the first part, but only
> RMX would catch the last.

How do you "forge" reverse DNS?   My dictionary says that forgery has
something to do being false.  If you check that one of the IP addresses
for the reverse DNS name is IP address whose reverse DNS name you
looked up, then reverse DNS forgery is practically impossible for
spam.  (Of course, without DNSSEC, there are other attacks, but they
could also be used against the RMX bits.)


> ...
> >Wouldn't be simpler to tell everyone to compare your sender domain name
> >with your reverse DNS?
>
> rDNS does not support multiple domains.
> with rDNS, if you have two vanity domains you need two IP addresses.

That seems to be based on the mistaken notion that there can be only
a single PTR RR per IP address.

> if you run an email service you might host hundreds of domains
> per IP.  So, yes, if you're one of those people it's a lot simpler,
> because you couldn't support rDNS at all.

That's mistaken.  If one of your IP addresses is used for hundreds of
domain names, you would not want hundreds of PTR RRs.  (I've known of
ISPs that hosted thousands (1000s) of domain names per IP address.
That forced the code of my UNIX vendor employer at the time to be a
lot smarter than the classic BSD TCP code when mapping names to
interfaces.)  Instead, as I tried to say but was doubtless not clear,
when to the simple comparision of PTR RR values to STMP envelope sender
domain name fails, SMTP servers might be satisfied if one of the MX
RRs for the sender domain contains the SMTP client IP address.


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email