Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

Re: mail filtering based on reverse DNS

  

 
First page Previous page 1 2 Next page Last page  View All nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


bjorn at mork

Aug 10, 2011, 1:43 AM

Post #1 of 38 (2136 views)
Permalink
Re: mail filtering based on reverse DNS
"Bjoern A. Zeeb" <bzeeb-lists [at] lists> writes:
> On Aug 9, 2011, at 4:17 PM, Bjørn Mork wrote:
>
>> Anyway, if you reject mail from IPv6 addresses without reverse DNS
>> today, then you are guaranteed to reject legitimate mail. One might
>> even question the usefulness of reverse IPv6 DNS as a low score spam
>> rule. There are just too many matching legitimate sources.
>
> If one operates a legitimate mail server and is unable to provide any reverse
> mapping for the v6 address I seriously do not care to not accept his email as
> it's clearly not operated in a professional manner.

I agree on the professional operation. Any SMTP client should have
matching reverse and forward DNS. Failing to setup DNS properly is
clearly unprofessional.

You may of course choose to reject mail based on that fact. But be
aware that you *will* reject legitimate mail. I did a simple grep
through my personal mail log for the last few weeks, and there are many
examples of legitimate mails from people I consider serious
professionals, received over IPv6 from SMTP clients with no reverse
DNS. People don't always control their environment, and clueful people
are often forced to use infrastructure run by the clueless.

Anyone receiving mail on behalf of others cannot afford to be as strict
as you.


Bjørn


bjorn at mork

Aug 10, 2011, 4:19 AM

Post #2 of 38 (2085 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
"Bjoern A. Zeeb" <bzeeb-lists [at] lists> writes:
> On Aug 9, 2011, at 4:17 PM, Bjørn Mork wrote:
>
>> Anyway, if you reject mail from IPv6 addresses without reverse DNS
>> today, then you are guaranteed to reject legitimate mail. One might
>> even question the usefulness of reverse IPv6 DNS as a low score spam
>> rule. There are just too many matching legitimate sources.
>
> If one operates a legitimate mail server and is unable to provide any reverse
> mapping for the v6 address I seriously do not care to not accept his email as
> it's clearly not operated in a professional manner.

OK.

Sorry for those offended by the real example, but this is one of the
addresses I found in my mail log:

2001:1890:1112:1::1e

It does have a reverse pointer, so it's half-way there:

bjorn [at] canard:~$ dig +short -x 2001:1890:1112:1::1e
mail.ietf.org.

but the forward entry does not list that address, so my mail server
ignores the reverse pointer:

bjorn [at] canard:~$ dig +short aaaa mail.ietf.org
2001:1890:123a::1:1e


So, should I reject mail from 2001:1890:1112:1::1e? Are all those
sending mail from the IETF necessarily unprofessional?



Bjørn


nick at foobar

Aug 10, 2011, 4:23 AM

Post #3 of 38 (2085 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On 10/08/2011 12:19, Bjørn Mork wrote:
> So, should I reject mail from 2001:1890:1112:1::1e? Are all those
> sending mail from the IETF necessarily unprofessional?

oh, the irony: mail.ietf.org rejects email from hosts which do not have
ipv6 matching reverse DNS configured.

Nick


ignatios at cs

Aug 10, 2011, 4:25 AM

Post #4 of 38 (2088 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On Wed, Aug 10, 2011 at 01:19:20PM +0200, Bjørn Mork wrote:

> rev(A) != PTR
> rev(AAAA) != PTR

In the modern days, where often a lot of services *with their own
domain names* run on big server machines, it is unreasonable to require
that forward and reverse resolving agree. (The SPF stuff might be
a more reasonable assumption, but the most thorough implementors are
the spammers, afaik.)

Requiring any PTR might be ok.

-is


bjorn at mork

Aug 10, 2011, 5:16 AM

Post #5 of 38 (2081 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
Ignatios Souvatzis <ignatios [at] cs> writes:

> On Wed, Aug 10, 2011 at 01:19:20PM +0200, Bjørn Mork wrote:
>
>> rev(A) != PTR
>> rev(AAAA) != PTR
>
> In the modern days, where often a lot of services *with their own
> domain names* run on big server machines, it is unreasonable to require
> that forward and reverse resolving agree.

Maybe. Still, as this discussion shows, there are those advocating that
as an absolute requirement.

> Requiring any PTR might be ok.

How would that be useful in any way? A PTR without a matching A or AAAA
record will tell you exactly nothing.


Bjørn


md at Linux

Aug 10, 2011, 5:33 AM

Post #6 of 38 (2088 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On Aug 10, Ignatios Souvatzis <ignatios [at] cs> wrote:

> In the modern days, where often a lot of services *with their own
> domain names* run on big server machines, it is unreasonable to require
> that forward and reverse resolving agree. (The SPF stuff might be
I call bullshit on this.

> Requiring any PTR might be ok.
Requiring any PTR is useless, and this is why nobody bothers.

--
ciao,
Marco
Attachments: signature.asc (0.19 KB)


ignatios at cs

Aug 10, 2011, 5:57 AM

Post #7 of 38 (2086 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On Wed, Aug 10, 2011 at 02:16:09PM +0200, Bjørn Mork wrote:
> Ignatios Souvatzis <ignatios [at] cs> writes:
>
> > On Wed, Aug 10, 2011 at 01:19:20PM +0200, Bjørn Mork wrote:
> >
> >> rev(A) != PTR
> >> rev(AAAA) != PTR
> >
> > In the modern days, where often a lot of services *with their own
> > domain names* run on big server machines, it is unreasonable to require
> > that forward and reverse resolving agree.
>
> Maybe. Still, as this discussion shows, there are those advocating that
> as an absolute requirement.
>
> > Requiring any PTR might be ok.
>
> How would that be useful in any way? A PTR without a matching A or AAAA
> record will tell you exactly nothing.

That's true, of course. Hm... but requiring that forward resolving
agrees with back is not the same as requiring that back is the same
as forward... just forget what I typed yestereve; it's not very relevant
for incoming connections.

Regards,
-is


fernando at gont

Aug 10, 2011, 10:37 AM

Post #8 of 38 (2078 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On 08/09/2011 01:31 PM, Bjoern A. Zeeb wrote:
>> Anyway, if you reject mail from IPv6 addresses without reverse DNS
>> today, then you are guaranteed to reject legitimate mail. One might
>> even question the usefulness of reverse IPv6 DNS as a low score spam
>> rule. There are just too many matching legitimate sources.
>
> If one operates a legitimate mail server and is unable to provide any reverse
> mapping for the v6 address I seriously do not care to not accept his email as
> it's clearly not operated in a professional manner.

It's unclear to me how you can so easily deem people as unprofessional
(for a simple error), but then show no concerns when an OS sits on a
security vulnerability without a fix for a year and a half.

Should *I* start trolling now?

Thanks,
--
Fernando Gont
e-mail: fernando [at] gont || fgont [at] acm
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1


spz at serpens

Aug 10, 2011, 12:07 PM

Post #9 of 38 (2080 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
Hi,

Thus wrote Fernando Gont (fernando [at] gont):

> It's unclear to me how you can so easily deem people as unprofessional
> (for a simple error), but then show no concerns when an OS sits on a
> security vulnerability without a fix for a year and a half.

Only one? Which?
Some problems are both hard (tm) to fix and hard to exploit. If all one
does is trip from one panic into the next, one'll burn out in record time.

regards,
spz
--
spz [at] serpens (S.P.Zeidler)


fernando at gont

Aug 10, 2011, 12:19 PM

Post #10 of 38 (2081 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On 08/10/2011 04:07 PM, S.P.Zeidler wrote:

>> It's unclear to me how you can so easily deem people as unprofessional
>> (for a simple error), but then show no concerns when an OS sits on a
>> security vulnerability without a fix for a year and a half.
>
> Only one? Which?

Will post something about this in a few days. (he knows what I mean)



> Some problems are both hard (tm) to fix and hard to exploit.

Not the case, though.


> If all one
> does is trip from one panic into the next, one'll burn out in record time.

I just argue that one should be a bit more careful when deeming people
as unprofessional. FWIW, I'd rather have an e-mail dropped than a whole
system DoS'ed.

Thanks,
--
Fernando Gont
e-mail: fernando [at] gont || fgont [at] acm
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1


sm at resistor

Aug 10, 2011, 2:32 PM

Post #11 of 38 (2081 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
Hi Bjoern,
At 04:19 10-08-2011, Bejoern Mork wrote:
>So, should I reject mail from 2001:1890:1112:1::1e? Are all those

That's a matter of local policy.

>sending mail from the IETF necessarily unprofessional?

Messages from IETF mailing list are relayed through mail.ietf.org.

Regards,
-sm


noel.butler at ausics

Aug 10, 2011, 3:56 PM

Post #12 of 38 (2081 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On Wed, 2011-08-10 at 16:19 -0300, Fernando Gont wrote:


> I just argue that one should be a bit more careful when deeming people
> as unprofessional. FWIW, I'd rather have an e-mail dropped than a whole
> system DoS'ed.



It is more like laziness than unprofessional, but the terms can mean
much the same.

You go to all the trouble of installing and configuring your OS and MTA
and its related software, it takes little time to add DNS records.
there is no excuse for it not being done.
I think rejecting on no DNS for ipv6 is going to be eve more a
necessity than ever before with all thee IP's being dished out to end
users.
Attachments: signature.asc (0.48 KB)


bzeeb-lists at lists

Aug 10, 2011, 4:32 PM

Post #13 of 38 (2077 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On Aug 10, 2011, at 5:37 PM, Fernando Gont wrote:

> On 08/09/2011 01:31 PM, Bjoern A. Zeeb wrote:
>>> Anyway, if you reject mail from IPv6 addresses without reverse DNS
>>> today, then you are guaranteed to reject legitimate mail. One might
>>> even question the usefulness of reverse IPv6 DNS as a low score spam
>>> rule. There are just too many matching legitimate sources.
>>
>> If one operates a legitimate mail server and is unable to provide any reverse
>> mapping for the v6 address I seriously do not care to not accept his email as
>> it's clearly not operated in a professional manner.
>
> It's unclear to me how you can so easily deem people as unprofessional
> (for a simple error),

I think we were long in the general discussion here. I had politely pointed it
out to you in the initial reply, like I have for many in the past incl. some
very busy lists, ... and I am sure like they you'll fix the oversight quickly and
the world will be good.

The fact that there are gazillions of others out there who do not care and still
run, constantly run, purposely run mail servers, run mail servers for tons of
users, who pay money for a relay service, etc. etc. etc. without the reverse
mapping is simply unprofessional.

/bz

--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.


fernando at gont

Aug 10, 2011, 6:19 PM

Post #14 of 38 (2080 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On 08/10/2011 07:56 PM, Noel Butler wrote:
> On Wed, 2011-08-10 at 16:19 -0300, Fernando Gont wrote:
>
>> I just argue that one should be a bit more careful when deeming people
>> as unprofessional. FWIW, I'd rather have an e-mail dropped than a whole
>> system DoS'ed.
>
> It is more like laziness than unprofessional, but the terms can mean
> much the same.

And in other cases, just a plain human error.

--
Fernando Gont
e-mail: fernando [at] gont || fgont [at] acm
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1


dougb at dougbarton

Aug 10, 2011, 6:59 PM

Post #15 of 38 (2071 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On 08/10/2011 04:19, Bjørn Mork wrote:
> "Bjoern A. Zeeb" <bzeeb-lists [at] lists> writes:
>> On Aug 9, 2011, at 4:17 PM, Bjørn Mork wrote:
>>
>>> Anyway, if you reject mail from IPv6 addresses without reverse DNS
>>> today, then you are guaranteed to reject legitimate mail. One might
>>> even question the usefulness of reverse IPv6 DNS as a low score spam
>>> rule. There are just too many matching legitimate sources.
>>
>> If one operates a legitimate mail server and is unable to provide any reverse
>> mapping for the v6 address I seriously do not care to not accept his email as
>> it's clearly not operated in a professional manner.
>
> OK.
>
> Sorry for those offended by the real example, but this is one of the
> addresses I found in my mail log:
>
> 2001:1890:1112:1::1e
>
> It does have a reverse pointer, so it's half-way there:
>
> bjorn [at] canard:~$ dig +short -x 2001:1890:1112:1::1e
> mail.ietf.org.
>
> but the forward entry does not list that address, so my mail server
> ignores the reverse pointer:
>
> bjorn [at] canard:~$ dig +short aaaa mail.ietf.org
> 2001:1890:123a::1:1e
>
>
> So, should I reject mail from 2001:1890:1112:1::1e? Are all those
> sending mail from the IETF necessarily unprofessional?

Naturally you've reported this to postmaster [at] ietf, right? The
reverses for A and AAAA addresses for mail.ietf.org match, so that
address looks like an anomaly that should be dealt with.


Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/


noel.butler at ausics

Aug 10, 2011, 7:49 PM

Post #16 of 38 (2068 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On Wed, 2011-08-10 at 22:19 -0300, Fernando Gont wrote:

> On 08/10/2011 07:56 PM, Noel Butler wrote:
> > On Wed, 2011-08-10 at 16:19 -0300, Fernando Gont wrote:
> >
> >> I just argue that one should be a bit more careful when deeming people
> >> as unprofessional. FWIW, I'd rather have an e-mail dropped than a whole
> >> system DoS'ed.
> >
> > It is more like laziness than unprofessional, but the terms can mean
> > much the same.
>
> And in other cases, just a plain human error.



Human error would be when one screws up the entry in the zone files, I'd
not call it human error for outright not doing it at all.
Attachments: signature.asc (0.48 KB)


ek at google

Aug 11, 2011, 1:13 AM

Post #17 of 38 (2063 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
> I think rejecting on no DNS for ipv6 is going to be eve more a necessity
> than ever before with all thee IP's being dished out to end users.

Without siding for or against this policy, I would say that the right
time to get this hammered out is rapidly passing. This is something
that could, IMHO, still be enforced, albeit with some possible pain
for existing IPv6 MTA operators depending on the outcome. It might
not be too late.

So I'm all for whatever might be needed to decide if it's actually a
good policy that everyone thinks should be the long-term state of
things. Even though some MTA operators might have some DNS work to
do, I don't see such a policy as being wholly unreasonable.
Sufficient socialization of the policy at RIPE, NANOG, etc could be
done to give sufficient advanced warning.

Setting aside the transition work to get there, is this something the
MTA operating community could agree would be a good end state?


sander at steffann

Aug 11, 2011, 1:47 AM

Post #18 of 38 (2065 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
Hi,

> So I'm all for whatever might be needed to decide if it's actually a
> good policy that everyone thinks should be the long-term state of
> things. Even though some MTA operators might have some DNS work to
> do, I don't see such a policy as being wholly unreasonable.
> Sufficient socialization of the policy at RIPE, NANOG, etc could be
> done to give sufficient advanced warning.
>
> Setting aside the transition work to get there, is this something the
> MTA operating community could agree would be a good end state?

Assumptions: Considering that most trojans will run from client systems that probably won't have reverse DNS entries I think this might help. MTA operators can add reverse DNS records in (almost?) all cases if they really want, so they won't be permanently harmed by this.

Now, are those assumptions correct? I have heard ISPs talk about using a (powerdns based) on-request-reverse-DNS-record-generator. If we see that happening a lot such a policy might not make a big difference. And I also heard knowledgable SMBs state that they can't get reverse DNS at this point in time. So how many organizations/people *are* harmed?

I think we need to put a bit more thought into this…
Sander


ipv6-ops at c0mplx

Aug 11, 2011, 1:52 AM

Post #19 of 38 (2063 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
Hi!

> > I think rejecting on no DNS for ipv6 is going to be eve more a necessity
> > than ever before with all thee IP's being dished out to end users.
>
> Without siding for or against this policy, I would say that the right
> time to get this hammered out is rapidly passing. This is something
> that could, IMHO, still be enforced, albeit with some possible pain
> for existing IPv6 MTA operators depending on the outcome. It might
> not be too late.

Yes, if the specs for the check are well-defined and easily testable.

That would be very a big help.

--
pi [at] opsec +49 171 3101372 9 years to go !


ek at google

Aug 11, 2011, 2:15 AM

Post #20 of 38 (2074 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
> Assumptions: Considering that most trojans will run from client systems that probably won't have reverse DNS entries I think this might help. MTA operators can add reverse DNS records in (almost?) all cases if they really want, so they won't be permanently harmed by this.
>
> Now, are those assumptions correct? I have heard ISPs talk about using a (powerdns based) on-request-reverse-DNS-record-generator. If we see that happening a lot such a policy might not make a big difference. And I also heard knowledgable SMBs state that they can't get reverse DNS at this point in time. So how many organizations/people *are* harmed?

Certainly I and others have thought of writing our own auto-PTR
response generator for delegated reverse zones. I see now that the
success of a PTR-verification scheme depends on ISPs *not* doing this
for every J. Random Customer.


sander at steffann

Aug 11, 2011, 2:18 AM

Post #21 of 38 (2064 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
Hi,

> Certainly I and others have thought of writing our own auto-PTR
> response generator for delegated reverse zones. I see now that the
> success of a PTR-verification scheme depends on ISPs *not* doing this
> for every J. Random Customer.

The more I think about it, the more I feel that auto-generating PTR records is not a wise thing to do. This is one example, filling the caches of DNS resolvers is another. Would it be a good idea to write a BCP on this subject?

- Sander


ek at google

Aug 11, 2011, 2:32 AM

Post #22 of 38 (2063 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On 11 August 2011 18:18, Sander Steffann <sander [at] steffann> wrote:
> Hi,
>
>> Certainly I and others have thought of writing our own auto-PTR
>> response generator for delegated reverse zones.  I see now that the
>> success of a PTR-verification scheme depends on ISPs *not* doing this
>> for every J. Random Customer.
>
> The more I think about it, the more I feel that auto-generating PTR records is not a wise thing to do. This is one example, filling the caches of DNS resolvers is another. Would it be a good idea to write a BCP on this subject?

Are you thinking of a recursive resolver DOS attack involving doing
PTR lookup through an auto-generated reverse space? I.e. the
recursive resolver would overrun it's cache at some point?

I could see this happening, but it seems the right thing to do is to
defend against it by implementing LRU eviction policies,
rate-limiting, and other common mitigation techniques. It seems such
an attack could be undertaken even today. (besides, what about the
negative caching for PTRs that aren't there?)

Hmmm....


sander at steffann

Aug 11, 2011, 2:34 AM

Post #23 of 38 (2065 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
Hi,

> I could see this happening, but it seems the right thing to do is to
> defend against it by implementing LRU eviction policies,
> rate-limiting, and other common mitigation techniques. It seems such
> an attack could be undertaken even today. (besides, what about the
> negative caching for PTRs that aren't there?)
>
> Hmmm....

Good point.
Sander


mike at mikejones

Aug 11, 2011, 3:08 AM

Post #24 of 38 (2076 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On 11 August 2011 10:15, Erik Kline <ek [at] google> wrote:
> Certainly I and others have thought of writing our own auto-PTR
> response generator for delegated reverse zones.  I see now that the
> success of a PTR-verification scheme depends on ISPs *not* doing this
> for every J. Random Customer.
>

I personally feel that the era of "all hosts should have meaningless
reverse DNS" should be left as a historical IPv4 practice and not
brought forward to IPv6 as the only real benefit such automatic
records serve is saving you spending 5 seconds doing a whois lookup
for find a users ISP, but if you have a reason to look up an IP
address then you'll do a whois lookup anyway even after looking at the
hostname. Unfortunately it only takes a few ISPs doing this for other
people to be forced to accept it. Of course routers (looking at your
employer here!) and servers should still be set up with proper entries
as they serve useful diagnostic purposes.

Perhaps this needs a multi-stage system, reject mail from hosts with
no reverse DNS then test for the presence of "mail" or "smtp" etc in
the hostname and factor this in to spam filters, so
"185479346345.customer542345.example.net" starts off with a higher
spam rating than "mail.example.net"?

I am not keen on a requirement that mail servers should be given a
specific mail-related hostname, however it is a possible solution to
consider with IPv6 where it is a lot easier to add additional
service-specific addresses to a box (assuming the MTA has an option to
bind to a specific address for outbound connections, i've not checked
if common ones do).

- Mike


bzeeb-lists at lists

Aug 11, 2011, 3:37 AM

Post #25 of 38 (2065 views)
Permalink
Re: mail filtering based on reverse DNS [In reply to]
On Aug 11, 2011, at 8:13 AM, Erik Kline wrote:

>> I think rejecting on no DNS for ipv6 is going to be eve more a necessity
>> than ever before with all thee IP's being dished out to end users.
>
> Without siding for or against this policy, I would say that the right
> time to get this hammered out is rapidly passing. This is something
> that could, IMHO, still be enforced, albeit with some possible pain
> for existing IPv6 MTA operators depending on the outcome. It might
> not be too late.

You can always start enforcing it. The very worst take some extra load
and give "soft" errors for a couple of weeks; people will either notice
the email stuck in their queues or see the bounce. If they don't notice
they have no interest that email works with you. Case closed.
In most cases however (unless you have been of the people who enforced
that on IPv4 for decade in which case you are set anyway, people will
fall back to IPv4 usually and get the email delivered for now).

In times when people IM or call you if they don't have a reply within 10
minutes that should be noticed pretty quickly anyway.

(I am aware that for some people they have to think bigger and have other
constraints and cannot use this pragmatic solution)


> So I'm all for whatever might be needed to decide if it's actually a
> good policy that everyone thinks should be the long-term state of
> things.

It has so far been sufficient to catch 100% of the unwanted email on my
IPv6-only MXes.

Sadly it has also caught an ISP mail relay doing v6 which was more an open
relay and used by spammers rather than by customers. And of course there
were no replies from the postmaster or abuse department of that system, nor
was a PTR added (or the open relay fixed last time I checked).

As said before it's also catching all Email from Teredo given the nature
of no reverse DNS, but that has proven to be 100% unwanted email so far as
well and usually was paired with invalid (according to 5321) EHLOs as well.

/bz

--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.

First page Previous page 1 2 Next page Last page  View All nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.