mail filtering based on reverse DNS

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Thu Aug 11 12:37:13 CEST 2011


On Aug 11, 2011, at 8:13 AM, Erik Kline wrote:

>> I think rejecting on no DNS for ipv6 is going to be eve more a necessity
>> than ever before with all thee IP's being dished out to end users.
> 
> Without siding for or against this policy, I would say that the right
> time to get this hammered out is rapidly passing.  This is something
> that could, IMHO, still be enforced, albeit with some possible pain
> for existing IPv6 MTA operators depending on the outcome.  It might
> not be too late.

You can always start enforcing it.  The very worst take some extra load
and give "soft" errors for a couple of weeks;  people will either notice
the email stuck in their queues or see the bounce.  If they don't notice
they have no interest that email works with you.  Case closed.
In most cases however (unless you have been of the people who enforced
that on IPv4 for decade in which case you are set anyway, people will
fall back to IPv4 usually and get the email delivered for now).

In times when people IM or call you if they don't have a reply within 10
minutes that should be noticed pretty quickly anyway.

(I am aware that for some people they have to think bigger and have other
constraints and cannot use this pragmatic solution)


> So I'm all for whatever might be needed to decide if it's actually a
> good policy that everyone thinks should be the long-term state of
> things.

It has so far been sufficient to catch 100% of the unwanted email on my
IPv6-only MXes.

Sadly it has also caught an ISP mail relay doing v6 which was more an open
relay and used by spammers rather than by customers.  And of course there
were no replies from the postmaster or abuse department of that system, nor
was a PTR added (or the open relay fixed last time I checked).

As said before it's also catching all Email from Teredo given the nature
of no reverse DNS, but that has proven to be 100% unwanted email so far as
well and usually was paired with invalid (according to 5321) EHLOs as well.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
         Stop bit received. Insert coin for new address family.



More information about the ipv6-ops mailing list