Host names, both HELO and RevDNS, are not random Data from my system
About 14% of incoming mail is blocked based on HELO or RevDNS filter rules. For these, I don't care if they are forward-confirmed or not. If HELO is an IP address or anything that does not look like an FQDN, it is almost certainly spam. After excluding mail blocked based on source reputation, I have this data on the remainder: 76.8% produce fcDNS on both HELO and RevDNS 3.1% produce fcDNS on HELO but not RevDNS 4.7% produce fcDNS on RevDNS and have the same domain as HELO, indirectly verifying HELO 10.0% produce fcDNS on RevDNS alone .Caveat: If the RevDNS name is the ISP, and it forward-confirms, a malicious server might set its HELO name to match the ISP's RevDNS name. So fcDNS on HELO does not prove ownership by the server domain. However, this does not prevent filtering on host names or fcDNS result when the domain being queried is know to be something other than an ISP. Doug Foster On Fri, Oct 28, 2022 at 1:41 AM Murray S. Kucherawy <[email protected]> wrote: > On Sun, Oct 23, 2022 at 2:30 PM Douglas Foster < > [email protected]> wrote: > >> I tried to lay out why I believe reports with server identity would be >> important to domain owners. In this context, verification reduces >> ambiguity about whether the HELO name accurately identifies the server >> organization. Reverse DNS can also be useful, but it may indicate the ISP >> rather than the server owner, so I started with just the HELO to reduce >> pushback. >> > > But if you have verification (whatever you meant by that), what additional > value does the parameter to HELO/EHLO provide? > > I've always considered it to be a random string, because the protocol > allows it to be such. It doesn't necessarily mean or correlate to anything > as far as I can tell. > > -MSK >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
