John Rudd wrote: >> I think FCrDNS stands for "Forward-confirmed reverse DNS" as noted at >> http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS :-) > > Every place I've seen it talked about, including past discussion on > this list, calls it Full Circle, not Forward Confirmed. Based on that > page, I assume they're synonymous.
I hope so. They both sound like great names for the concept, anyway. >> As a matter of fact, there is nothing stopping a domain >> from resolving to 127.0.0.1 (or 127.0.0.1 from resolving to a domain, >> regardless of whether or not it is "localhost") and no reason for SMTP >> to complain about it, so those aren't always automatic failures. > > I didn't imply that they're automatically failures. It was an > implication that the rule that does the checking might be set up to > reject those results. "I got back localhost as a result, and I don't > want that, so I'm going to give a rule failure of some sort, rather > than continue on to some other result". So then they are specific samples that despite not failing FCrDNS, you would like to discriminate against? I misunderstood your intent. Checking against private and local networks sounds like a good idea. >> SENDMAIL HAS THIS AMBIGUITY. > > In fact, Sendmail's ambiguity on the subject was part of why I wrote Botnet. Ah, that was you (this list is awesome; everybody's here!). I keep meaning to try that plugin, but I'm wary of all the false positives I hear it creates (so I'd have to turn the scores down to near-zero and then slowly turn them up). I also find that greylisting, even if solely against Windows desktops (p0f is now supported in milter-greylist, and I'd be happy to share my rules that let servers through), seems to alleviate my need for botnet detection. >> 5. IP -> rDNS: Domain -> DNS: IP2 -> FAIL (mismatch) >> 6. IP -> rDNS: [none] ->-> FAIL (no rDNS, doesn't fail in sendmail) >> 7. IP -> rDNS: Domain -> DNS: [none] -> FAIL (no DNS, sendmail=?) >> >> Within SpamAssassin, RDNS_NONE catches #6, my KHOP_MAYBE_FORGED >> catches #5 (on sendmail servers), and I think #7 goes uncaught. The >> other rule I described, KHOP_HELO_FCRDNS, catches #8, which isn't >> technically FCrDNS: >> >> 8. IP -> rDNS: Domain != HELO -> ~FAIL (mismatch) > > I'm pretty sure, but I'd have to re-check, that Botnet catches all of those. Interesting. Catching #7 would be nice, though not worth too many points given how often servers accidentally use their internal (non-TLD) names. However, regexps can solve that quite nicely. Does botnet create pseudo-headers for later polling? > Btw: are you the Adam Katz that used to be Mr. Curtain in the Santa > Cruz/UCSC geek scene? Nope, haven't been there since I was a kid. There are thousands of people with my name (and yet I'm the one with www.adamkatz.com). There are only a handful of us in the geek world, so I think I can isolate the one you're thinking of to the guy at www.geekeasy.com. Heck, I live only a few blocks from another Adam Katz who is a professional web designer (which I've done from time to time). I'm the (only?) one that does F/OSS, D&D, and spam-fighting stuff. ... I'm also a famous dog trainer, MLB sports agent, several journalists, and I teach plastic surgery, religion, English, and literature at various universities. :-D -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
