On 16/05/16 12:10, Dianne Skoll wrote: > On Mon, 16 May 2016 09:12:54 +0200 > Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > >> short ttl's are more likely on abusers' DNS. good for refusing >> delisting. > I would love to see data on the correlation. I think it's pretty > mild. A few random tests on consumer cable IPs reveals TTLs for the > reverse DNS ranging from a couple of hours to a day. For example, > 24.34.32.22 => c-24-34-32-22.hsd1.ma.comcast.net. has a TTL of two > hours while 24.44.32.22 => ool-182c2016.dyn.optonline.net. has a TTL > of a day. > > The reverse-DNS of our server, roaringpenguin.com, which we do not > control has a TTL of only one hour: > > 70.38.112.54 => roaringpenguin.com > > but the A record going the other way has a TTL of 86400. > > Regards, > > Dianne. I don't think that the purpose of the policy is really related to dynamic IP PTRs, but rather to make it infeasible for a spammer to both request delisting from blacklists and to cycle through domains while maintaining FCRDNS.
As I recall, the comment was only about blacklist maintainer policies regarding delist requests, not about treating low-TTL reverse zones as a spam indicator in its own right. Accepting that not all ISPs are as helpful as they might be, I can't easily think of a legitimate reason for needing the TTL on the PTR of a mail server to be small, so if a blacklist operator finds it an effective way to manage request volume then that doesn't seem unreasonable. Dominic
