Hi Greg, On 2021-07-05 10:06 a.m., Greg Wooledge wrote: > On Mon, Jul 05, 2021 at 03:48:47PM +0200, Vincent Lefevre wrote: >> On 2021-07-05 09:35:22 -0400, Greg Wooledge wrote: >> [...] >>> Your "reverse" (PTR record for 162.213.253.79) doesn't match. Which is >>> to say, none of the "A" results from cyrania.com. match the original >>> IP address of 162.213.253.79. >>> >>> Some SMTP receivers may care about that. >> [...] >> >> Yes, the reason is that the owner of the IP address can technically >> put anything for the reverse, in particular a domain he doesn't own. >> Thus he can put a domain with a good reputation to send spam. That's >> why antispam software should check that the reverse resolves back to >> the IP address. > > It's a philosophical argument. The value stored in the "reverse" is > only important if you think it's important. Antispam software may > choose to consider it irrelevant, or somewhat important, or vitally > important. It's a argument that is pretty much impacting our day to day life, so wouldn't consider this only on the philosophical side. Probably that most email service provider (like Google, Microsoft and other who rent the cloud) are suggesting and pushing for the validation of reverse domain validation. The more people get problem from their home computer sending email, the more they have possibility to rend computer on the cloud. What annoy my is that I am paying for a dedicated IP for my server (in shared hosting) and I believe it must be a mis-configuration I've done, possibly also the use of Cloudflare (but my mail server is in plain IP not behind Cloudflare). As I also rent a dedicated server (rack) in a data center, with two dedicated IP, I'm thinking about starting to host the mail server myself. > > If I'm sending email from 162.213.253.79 but I use bill@microsoft.com as > my envelope sender address, does it *really* matter whether 162.213.253.79 > has a mismatched reverse lookup? It's more important to check whether > microsoft.com considers 162.213.253.79 to be a valid sender. (And that > uses SPF or other optional mail-specific information sources.) > I agree with you, people who SPAM do have the infrastructure to make their domain resolution match, both forward, reverse and possibly side-way if there's a need. They have huge amount of resources to do so, they may even locate their server farm (physical) in some jurisdiction who give them free play and doesn't enforce (or simple doesn't have) law regarding the unsolicited mail. So reverse matching ain't a big deal for them. There's huge amount of cash involve so they can build a huge infrastructure to allow them doing their bad practice. > Strict reverse-match checking really hurts people who send email > from home computers, where controlling the reverse is not always easy. > Any impact on commercial spammers is negligible, unless the real goal is > to block bot nets by assuming that anyone with a mismatched reverse is a > home computer user and is therefore a compromised spam bot, because how > could anyone on a home computer network ever be a legitimate email sender? > I agree that this type of action harm the home user. Regarding anti-spam, if people who want to go use Netflix using a VPN can find a way of having their reverse lookup point to a home user domain then I'm sure every spam based business can find a way to do the opposite, that is, get their IP resolve to a business / data center domain name. > A more sensible antispam filter might consider a mismatched reverse to > be one potential factor in deciding whether a given message is "spam". > In the absence of any other factors, it shouldn't be enough to reject > a message. But if the same message has other risk factors, then together > they might be enough to justify that judgment. > Everything is about have a good degree of balance between all the different attributes. It's the basis of security. If you only rely on one type of enforcement, people will find a way to go thru and you will put a undue burden upon a class of user. -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature