Wednesday, April 2, 2008

SPAM BUSTER! Part 2 of 4

Reverse Lookup – “Hello, who are you?”

Spamming is illegal in almost every countries, therefore almost all spammer used forged “From” address. Such forged addresses normally appear to be from trusted domain such as XX@yahoo.com, XX@gmail.com , etc. Another reason that Spammer forge email addresses is that most ISP have clauses that prevent spamming. Therefore forging of email address prevent ISP from locking down their network. So if we could prevent spammer from forging the “from” address, we would greatly reduce the numbers of spam. So how do we do that?

Reverse lookup basically is a process that associated a Host with a given IP address/ IP address revolve to a given host name. Spammer forgery address normally would not have a pointer record (PTR) to fulfill this requirement. Sender Policy Framework (SPF) is one of the methods used in reverse lookup to prevent email address forgery. SPF is a process where dedicated host are specified in the SMTP transaction stating the allow hosts to be allow to sent mail out of the domain. With SPF enforced, spammer would not be able to forge an email address undetected and action would be taken against forge mail accordingly.

In my earlier blog explaining how email is send, I mention about mail server searching for the assigned email server to received the mail based on the MX record associated with the recipient domain name. Similarly, the reversed lookup communicated with the DNS associated with the re-verse-MX record (RMX) to determine if the email from that particular domain is send by a permitted host. Reverse lookup seem like a good solution, but it is not without its own limitation.

One important thing that we must take into consideration when activating reverse lookup is that the sender's IP address may not be in the reverse DNS lookup record, or the sending server may have multiple names for the same IP, not all of which may be available from the reverse DNS lookup record. An example of such will be users in host-less or vanity domain.

End of Part 2

No comments: