Re: No DNS consistency checks in Debian spam filter?

To: debian-user@lists.debian.org
Cc: listmaster@lists.debian.org
Subject: Re: No DNS consistency checks in Debian spam filter?
From: Mike Bird <mgb@yosemite.net>
Date: Tue, 11 Mar 2008 10:28:54 -0700
Message-id: <[🔎] 200803111028.55034.mgb@yosemite.net>
In-reply-to: <[🔎] 20080311090250.GQ30430@ftbfs.de>
References: <200801080920.15282.mgb@yosemite.net> <[🔎] 20080311090250.GQ30430@ftbfs.de>

Hi Martin,

On Tue March 11 2008 02:02:50 Martin Zobel-Helas wrote:
> On Tue Jan 08, 2008 at 09:20:15 -0800, Mike Bird wrote:
> > The single most powerful and most efficient spam filter test is to
> > verify DNS consistency.  Judging by the spam now swamping
> > these lists, Debian does not employ such a test.

> > In Postfix, including reject_unknown_client_hostname at an
> > appropriate spot in smtpd_client_restrictions does the trick.
>
> And that produces a loss of VERY much valid email. So we will not
> implement that.

What do you consider the loss of "VERY much valid email"?  Five
years ago things were different with maybe one or two complaints
per month, but now we get maybe one or two complaints per year.

It's a worthwhile trade-off since it blocks a great deal of spam.
Spamassassin is great and works well as a second line of defense
but reject_unknown_client_hostname is much cheaper, has far fewer
false positives, and weeds out much if not most of the spam before
it hits spamassassin.

The overall effect of reject_unknown_client_hostname is to somewhat
reduce spams (false negatives) and to greatly reduce CPU load.

Here's a good client ruleset:

   smtpd_client_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	defer_if_reject,
	reject_unknown_client_hostname,
	permit

I have this running on mail servers for businesses, schools, my
own small ISP, and one 10Gig international backbone.  I suspect
we handle a lot more inbound email than Debian, though perhaps
less outbound.

On those rare occasions when we get a complaint that an email has
been blocked for DNS inconsistency a human generates a detailed
explanation of the problem to the blocked sender's postmaster and
admins, with copies to the sender and intended recipient.  Such
explanations take only a few minutes work and help improve the net.

> > Alternatively, us old PERL bashers iterate over all PTR records
> > for the IP address, and for each of those PTR records we iterate
> > over all the A records, and we only accept the connection if at
> > least one of those A records contains the connecting IP.
>
> You cannot enforce persons running their own mailservers to use their
> ISP provider mailserver relays.

That statement has nothing to do with PTR/A record consistency.  Most
ISPs these days block port 25 out except from known SMTP servers.
It's the most effective measure against spam from Windows bots.

--Mike Bird

Reply to:

References:
- Re: No DNS consistency checks in Debian spam filter?
  - From: Martin Zobel-Helas <zobel@ftbfs.de>

Prev by Date: [OT] Petition for Open Parliament
Next by Date: Re: Games on a Redmond virtual machine.
Previous by thread: Re: No DNS consistency checks in Debian spam filter?
Next by thread: Trouble with grub on usb thumb drive :(
Index(es):
- Date
- Thread