[Dshield] Interesting question

Jon R. Kibler Jon.Kibler at aset.com
Wed Dec 3 15:22:02 GMT 2003

Father Peter Darin wrote:
> Hello,
> I have seen many servers in my area block any and all unresolvable ip
> addresses. I have considered this but would llike some opinions and thoughts
> of the merits or downfalls of such a blanket approach.
> Thank you.
> --- [ tanaya.net/Exim/Antiviral ] ---
> This message has been scanned with ClamScan, Inoculate, RAV and
> H+BEDV AntiVir antivirus software and has been determined to be

This is probably the best 'hatchet approach' to stopping spam. To do so, you are also forcing the sending MTAs to comply with the RFCs for mail DNS.

The problem is really two layered. 

First, you have systems that simply have no hostname. Always dumping them is probably a safe option. We have been doing so for over 3 years and never had a complaint.

Then you have the sticky issue -- what to do about forged hostnames. (What is a 'forged' hostname? Mail defines a hostname as forged if the hostname that the connecting IP address resolves to, either itself does not resolve, or does not resolve to the same IP as the connection.) Forged hostnames can either mean that some has really forged a hostname, or it can mean that someone has the DNS hosed -- usually the latter. 

For a while, we simply bounced forged hostnames, but that caused problems -- especially with one major cable ISP. Now, we simply temp-fail all forged hostnames with a message of 'Your hostname appears forged -- please fix your DNS and try again.' When the sender gets their ISP's 'Warning, still trying to send after x hours' message, they usually call their ISP, the problem gets fixed and the mail goes through. If not, it is eventually returned by the sending MTA. If the sender is a spammer, usually the first temp-fail causes the spammer to stop trying to send the message.

(Some hard core brute force anti-spammers have databases of every IP address that has ever contacted their system. The first time any new IP tries to contact them, they always temp-fail the connection. In other words, they are taking advantage of a 'hole' in most spamware -- the lack of the ability to queue and retry an undeliverable message.)

One final point. When a hostname is unresolvable, it can mean one of two things: Either the hostname is not valid (DNS status of NXDOMAIN) or there was a transient server problem (DNS status of SERVFAIL). You should not bounce messages with the status of SERVFAIL, as a later retry will probably result in successful name resolution (although there are some broken name servers that will always return SERVFAIL and there is not much you can do about that). For SERVFAIL errors, you should temp-fail the message and force the sending system to retry later.

Hope this helps.

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list