mail filtering based on reverse DNS

Sander Steffann sander at steffann.nl
Thu Aug 11 10:47:44 CEST 2011


Hi,

> So I'm all for whatever might be needed to decide if it's actually a
> good policy that everyone thinks should be the long-term state of
> things.  Even though some MTA operators might have some DNS work to
> do, I don't see such a policy as being wholly unreasonable.
> Sufficient socialization of the policy at RIPE, NANOG, etc could be
> done to give sufficient advanced warning.
> 
> Setting aside the transition work to get there, is this something the
> MTA operating community could agree would be a good end state?

Assumptions: Considering that most trojans will run from client systems that probably won't have reverse DNS entries I think this might help. MTA operators can add reverse DNS records in (almost?) all cases if they really want, so they won't be permanently harmed by this.

Now, are those assumptions correct? I have heard ISPs talk about using a (powerdns based) on-request-reverse-DNS-record-generator. If we see that happening a lot such a policy might not make a big difference. And I also heard knowledgable SMBs state that they can't get reverse DNS at this point in time. So how many organizations/people *are* harmed?

I think we need to put a bit more thought into this…
Sander



More information about the ipv6-ops mailing list