Re: RDNS_NONE

Wed, 18 Sep 2013 12:22:39 -0700 

On Wed, 18 Sep 2013, Art Greenberg wrote:


Follow-up: 66.162.193.229 passes FCrDNS at multirbl.valli.org.

Is there a bug in SA?


On Wed, 18 Sep 2013, Art Greenberg wrote:
I see that RDNS_NONE looks at X-Spam-Relays-External for a blank "rdns= ". I currently don't see that header, but I can see X-Spam-RelaysUntrusted (how do I enable X-S-R-External?).
Here are some of the headers for a message received here that hit on RDNS_NONE:
X-Spam-RelaysUntrusted: [ ip=66.162.193.229 rdns= helo=drone048.ral.icpbounce.com by=spamfilter.netcarrier.com ident= envfrom= intl=0 id=20130918171610649 auth= msa=0 ] 

...

Received: from drone048.ral.icpbounce.com ([66.162.193.229])
by spamfilter.netcarrier.com ({671ddfa8-006a-4d35-b7ac-a2829c8915e9}) 
         via TCP (inbound) with ESMTP id 20130918171610649
         for <a...@eclipse.net>;
         Wed, 18 Sep 2013 17:16:10 +0000

When I execute "host 66.162.193.229":

229.193.162.66.in-addr.arpa domain name pointer drone048.ral.icpbounce.com.

Why does SA think there is no RDNS for 66.162.193.229?



If it can, SA uses the info that the calling MTA puts in the "Received:" headers
to do such checks (saves doing unnecessary DNS lookups).

In that "Received:" header it says "from drone048.ral.icpbounce.com 
([66.162.193.229])"
which looks like the kind of header that sendmail creates when it cannot
do a FCrDNS on the connecting machine. Typically that header should look like:
Received: from drone048.ral.icpbounce.com (drone048.ral.icpbounce.com 
[66.162.193.229])

(note the additional part inside the parentheses.)

So SA assumes that there is no FCrDNS for that sending machine and triggers
that rule. This could be due to an issue with the OP's system causing FCrDNS
lookups to fail in general or a temporary issue with DNS/networking -someplace-.
(I've seen DNS lookups temporarily fail due to remote networking or server 
issues).
That's why that rule isn't scored very heavily, it can have transient FPs.

So it's real life, not a bug.

--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Reply via email to