[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi Greg,

On 2021-07-05 10:06 a.m., Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 03:48:47PM +0200, Vincent Lefevre wrote:
>> On 2021-07-05 09:35:22 -0400, Greg Wooledge wrote:
>> [...]
>>> Your "reverse" (PTR record for doesn't match.  Which is
>>> to say, none of the "A" results from cyrania.com. match the original
>>> IP address of
>>> Some SMTP receivers may care about that.
>> [...]
>> Yes, the reason is that the owner of the IP address can technically
>> put anything for the reverse, in particular a domain he doesn't own.
>> Thus he can put a domain with a good reputation to send spam. That's
>> why antispam software should check that the reverse resolves back to
>> the IP address.
> It's a philosophical argument.  The value stored in the "reverse" is
> only important if you think it's important.  Antispam software may
> choose to consider it irrelevant, or somewhat important, or vitally
> important.
It's a argument that is pretty much impacting our day to day life, so
wouldn't consider this only on the philosophical side.

Probably that most email service provider (like Google, Microsoft and
other who rent the cloud) are suggesting and pushing for the validation
of reverse domain validation. The more people get problem from their
home computer sending email, the more they have possibility to rend
computer on the cloud.

What annoy my is that I am paying for a dedicated IP for my server (in
shared hosting) and I believe it must be a mis-configuration I've done,
possibly also the use of Cloudflare (but my mail server is in plain IP
not behind Cloudflare).

As I also rent a dedicated server (rack) in a data center, with two
dedicated IP, I'm thinking about starting to host the mail server myself.

> If I'm sending email from but I use bill@microsoft.com as
> my envelope sender address, does it *really* matter whether
> has a mismatched reverse lookup?  It's more important to check whether
> microsoft.com considers to be a valid sender.  (And that
> uses SPF or other optional mail-specific information sources.)
I agree with you, people who SPAM do have the infrastructure to make
their domain resolution match, both forward, reverse and possibly
side-way if there's a need. They have huge amount of resources to do so,
they may even locate their server farm (physical) in some jurisdiction
who give them free play and doesn't enforce (or simple doesn't have) law
regarding the unsolicited mail.

So reverse matching ain't a big deal for them. There's huge amount of
cash involve so they can build a huge infrastructure to allow them doing
their bad practice.

> Strict reverse-match checking really hurts people who send email
> from home computers, where controlling the reverse is not always easy.
> Any impact on commercial spammers is negligible, unless the real goal is
> to block bot nets by assuming that anyone with a mismatched reverse is a
> home computer user and is therefore a compromised spam bot, because how
> could anyone on a home computer network ever be a legitimate email sender?
I agree that this type of action harm the home user.
Regarding anti-spam, if people who want to go use Netflix using a VPN
can find a way of having their reverse lookup point to a home user
domain then I'm sure every spam based business can find a way to do the
opposite, that is, get their IP resolve to a business / data center
domain name.

> A more sensible antispam filter might consider a mismatched reverse to
> be one potential factor in deciding whether a given message is "spam".
> In the absence of any other factors, it shouldn't be enough to reject
> a message.  But if the same message has other risk factors, then together
> they might be enough to justify that judgment.
Everything is about have a good degree of balance between all the
different attributes. It's the basis of security. If you only rely on
one type of enforcement, people will find a way to go thru and you will
put a undue burden upon a class of user.

Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: