Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
2
Replies

method and advisability of blocking Reverse DNS host None

exMSW4319
Level 3
Level 3

‎11-13-2014 08:17 AM

Like many of the lower-end users we appear to be being pummelled by botnet owners testing their wares. Attacks are highly distributed, with Senderbase catching a fair chunk but CASE responding late (and I am checking that we are receiving our updates) if at all.

I have envelope sender DNS verification turned on for our mail flow policies covering our sender groups up to but not including our default group which starts at SBRS 0. Should I adjust our HAT to start the default group at a higher SBRS rating or enforce envelope sender verification for the default group? Aside from a HAT adjustment to a lower sender group, we're pretty much running as factory.

That brings me to my main question: how to block senders with no reverse DNS information? Am I correct in saying this is not an envelope sender verification failure as such?

I'd also like to do something about the more obvious dynamic hosts presenting themselves as host-999-999-999-999.fsckwittedispleftport25open.net or similar. I came up with the regex \D{0,X}\d{1,3}[-_]\d{1,3}[-_]\d{1,3}[-_]\d{1,3}\D{0,X} for use in a Remote IP / Hostname rule but am in two minds as to whether this is going to give me too many false positives. I'm going to have to guess a value for X, unless anyone has any suggestions.

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎11-13-2014 08:58 AM

Reverse DNS verification is tricky.  I recently turned it on, and spent a couple of weeks sending mail to other sites saying "Hey! Set up reverse DNS!" to people who should know better...

And I came across several where it was done improperly... (ex. 2 ips sending mail as 1 dns name with only one of the IPs... so reverse wouldn't match forward lookup)

I did a couple of things that seem to have cut down on dirt.  SuspectList goes to 4, and DNS failures are included, this traffic gets throttled pretty hard.  I put a content filter in that SPF failures get dropped.

Sites with no spf info still comes in, because people don't seem to know how to do that either.

 

 

 

 

0 Helpful

exMSW4319
Level 3
Level 3
In response to Ken Stieers

‎11-14-2014 08:06 AM

Thanks for the tip on SPF - I might try it on the lower mail policies to begin with in case I get too many FPs. The general lack of reliable rDNS amongst senders comes as no surprise. I was more interested in cases where there is none at all.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents