Verify connecting host in DNSWe are a Domino 7 shop with a growing spam problem. Many of our spams come without a valid PTR record. I thought we could stop them all by turning on the Verify connecting host in DNS. But then I saw a posting where you said not to turn that on.
Do you still believe it is not a good idea to turn it on? How about if you have most of your senders on a whitelist?
Also, what blacklists do you recommend?
That seems to be of general interest, so here are some answers:
Yes I do still believe that Verify connecting host in DNS is a bad idea.
Firstly, the verification of connecting hostname pre-empts DNS and local whitelists, so your whitelist won't save you when a trusted sender has incorrect or missing DNS.
Secondly, it is still true here that a large proportion of legitimate senders have incorrect or missing DNS. It is also true here that, while a large number of unwanted senders do have missing DNS, at least as many have well formed DNS - we just don't want their email. Example:
Received: from cpe.atm2-0-1151118.0x50a37b66.naenxx3.customer.tele.dk ([80.163.123.102])
by domino.mydomain (Lotus Domino Release 7.0.2)
with SMTP id 2006101822354132-1654 ;
Wed, 18 Oct 2006 22:35:41 +0100 In this case HELO matches rDNS for the connecting IP, but it would make no difference if it didn't. The system would still pass the test because DNS is well formed.
Finally, my earlier advice on DNSBLs still stands. If you have time, a local blacklist will also serve you well if configured correctly.
Category: Domino: Administration
Technorati: IBM Lotus Domino
1. Gregg Eldred20/10/2006 20:10:58
Homepage: http://www.ns-tech.com/blog/geldred.nsf
Excellent post, as usual. Love that List. Thanks, Chris.
2. Ben Rose24/10/2006 08:10:11
Homepage: http://www.jaffacake.net
We started verifying the connecting host a short while ago with almost negligible business impact.
Those sending from poorly configured mail exchangers are now rejected until they sort out their act.
3. Chris Linfoot24/10/2006 17:20:33
Well this simply couldn't work here. We'd reject far too many senders. Just goes to show that individual mileage may vary I suppose...
4. Chris Miller01/11/2006 05:04:57
Homepage: http://www.IdoNotes.com
we go back and forth. some customers want it on, leaving it to the sender to fix. others never want to take the chance of missing anything.
5. Mark Gottschalk15/12/2006 19:03:02
Homepage: http://www.2roads.com
I appreciate your take on this, Chris, however many major ISPs reject mail outright for not having rDNS. Just a few examples, including the policy page and relevant verbiage:
COMCAST
http://www.comcast.net/help/faq/index.jsp?faq=EmailSpam18482
"your mail server does not have a PTR record set up to associate the IP address with the domain name, it will fail the rDNS test and the mail server will not be able to send email to Comcast.net"
AOL
http://postmaster.aol.com/guidelines/bestprac.html
"All e-mail servers connecting to AOL's mail servers must have valid reverse DNS records"
AT&T
http://www.att.net/general-info/mail_info/block_enduser.html
"The AT&T Worldnet mail system, like many others, does not accept messages from mail systems with no DNS records."
So, I don't see how my rejecting mail for not having a pointer record (rDNS) could matter very much to a party who cannot deliver mail to many major ISPs.
These senders must be well aware that they have significant problems outside of not being able to send to me. Without proper rDNS their mail system is basically unusable.
That said, a whitelist capability for this setting in Domino would be welcome for those few critical, but clueless, customers.
6. Mark Gottschalk21/12/2006 18:15:08
Homepage: http://www.2roads.com
Chris, I found a possible solution - kludge, really - that others might find useful for 'whitelisting' IPs without proper rDNS.
This is a followup to my post from six days ago: So, I've had the "Verify connecting host in DNS" setting enabled for almost a week and have had an issue with only one important organization not being able to send us mail. When it happened, in the absence of a whitelist, I wals almost forced to disable the setting. Almost.
As you all know, the problem is that mail servers without rDNS entries can't send you mail, even if the mail is from 'legit' organizations with badly configured DNS. And it is sometimes impossible to get them to fix the issue correctly by publishing a pointer record on the IP of their mailserver, regardless of how 'right' you may be in your analysis and argument.
However, if you have control over your inhouse DNS you can try doing what I did. I created a bogus PTR record in the reverse lookup table for the organization I wanted to whitelist. That way when the Domino mail server does its lookup on the IP, it finds a record and allows the connection. It does not matter if the PTR you create is legit, accurate, or even a properly configured hostname, just so long as it is not blank.
Anyway, I did this for the one troublesome sender we had. It worked, and mail is flowing again. So long as I only end up making a few of these now and then, enabling "verify connecting host in DNS" is worth it. It has cut connections from spam sources by half, reducing the work on the mailserver and other anti-spam measures.
7. Chris Linfoot21/12/2006 19:09:01
Thanks. We are aware of this workaround, but it doesn't scale 
8. Mark Gottschalk04/01/2007 18:05:15
Homepage: http://www.2roads.com
Chris, your typical senders might be presenting you with a different problem than I'm observing, but it looks like it will scale for our organization. I'm expecting to add maybe ten to twenty 'fake' DNS entries per year. That's it.
It's been a bit more than three weeks since I enabled the "Verify connecting host in DNS" option, and I've only had to add two entries in my DNS to accomodate mail from senders we didn't want to block. One of those was a client who, when informed, apologized, confessed that they'd had problems sending mail all sorts of places, and then added a PTR recorded. So I removed that entry from my DNS after two days when theirs went live.
I also went to the trouble to log the rejections in the Statistics Reports database. By running a search which filters the rejections from China, Bulgaria, Korea, etc., I've been able to manually spot check the remaining rejections each day, just as a test, and have found none that were legit.
The other issue is, if sufficient organizations impliment this and we reach some tipping point, then it will become a de facto standard. Sending mail without a rDNS record will be commonly known to be pointless, and the remaining holdouts will quickly change. With AOL, Comcast, AT&T, etc. already rejecting connections without rDNS entries, I'd say we're getting close, if not already there.
For those of you who can't, for whatever reason, implement the "Verify connecting host in DNS" setting, I fully understand. Legitimate businesses in Europe or Asia may have a different percentage of proper PTR records than I'm observing. Or, your organization might be significantly larger than ours, and you just can't yet risk taking the chance that client mail intended for some VP is rejected, and you get fired. But if you can implement the DNS checking, then do. It's been a highly effective addition to our anti-spam arsenal.
9. Carlos Alonso Padrones22/02/2008 14:07:35
Hi. I know there's a lot of information avaliable in this blog, but I'm looking for urgent administration tips of our Domino Server 6.5.5 about spam.
Untill now, we were using only the "Allow messages intended only for the following internet addresses" option (alowing mails only to our real users adresses), but we were receiving tons of spam. Also the server had to reject a lot of messages adressed to old and random adresses.
Now I've enabled the DNS Blacklit filters with bl.smapmcop.net, and also "Verify connecting hostname in DNS" and the spam has been stopped in a high rate. I see you think enabling this last option is not a good idea. "Verify sender's domain in DNS" continues disabled, because it seemed to me to be more likely to reject legitimate emails. About sender's domain verifying, in http://indomino.blogspot.com/2007/01/how-to-block-spam-in-lotus-domino-6x.html the authr says "This is a must".
- Do you think I should disable hostname verifying and enable sender's domain verifying? Or enable both of them?
- After reading comments in http://chris-linfoot.net/d6plinks/CWLT-6KRE5S do you recomend spamcop or spamhaus.org? Both of them?
Thanks in advance and sorry for my bad english
10. Chris Linfoot22/02/2008 17:19:46
Carlos, the answer you seek is here.
http://chris-linfoot.net/d6plinks/CWLT-6R8P9S
11. Carlos Alonso Padrones28/02/2008 11:14:16
Thank you very much, Chris. I'll continue the conversation in that post.
12. fjodor24/04/2008 22:52:54
RDNS works fine for 17 little firms I manage. I had to add bogus PTR around 5 times total in 1 year period.
Also adding dsl/dial-up network to "deny connections from the following..." list will reduce a lot spammers. In 1 year I'v denied about 3000 dsl/dial-up networks all over the world. I use this list for all my new clients (also in exchange). For example t-dialin.net,dsl.tiscali.net etc. No firm will send you e-mail from dsl/dial-up network. Home users while sending you e-mails have to use ISP provided smtp server. So it works, atleast for me and my clients.
It also helps a lot to find out if your firm is doing work outside your country. I have clients who will never communicate with china,russia etc and I have connections from these countries disabled. When VP tells me, that you can block traffic from china, I do it. And when they need it, I just change it back. It's 1 click away, instead getting millions of spam from this country for months/years :)
Unable to post a comment? Please read this for a possible explanation...
- 
