On Fri, Feb 28, 2020 at 10:06:51AM +0100, Matus UHLAR - fantomas wrote: > It's more likely that MessageLabs scan the internet for open relays, > mailservers features to gather statistics about the internet.
That's quite plausible. I also operate a more modest scanner: it connects once a day to every IP address of DNSSEC-signed MX hosts with DANE TLSA records (around 13k TCP endpoints), checking whether their TLSA records match their certificate chains. A small fraction of users with DANE TLSA records are blocking the survey connections (currently from 100.2.39.101). If you are one of them, please consider dropping the filter. The DANE survey is for your benefit, you get notified[1] if you ever mess up, and even if *you* never mess up, others who do, get an opportunity to fix the reported issues promptly. This keeps the ecosystem healthy enough for further adoption (<https://stats.dnssec-tools.org/>). Just blocking traffic you didn't expect isn't always a win if it is not doing any harm. -- Viktor. [1] Unless there's no way to find a working contact address for your domain, but if you're operating an email domain it is best to have a working postmaster address, a non-hidden WHOIS email contact, or a working contact in the SOA RR (or RFC 8460 _smtp._tls TXT RR): https://tools.ietf.org/html/rfc8460#section-3
