CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Using DNS for first-level spam filtering

Share:

We have had some success using domain name system lookups to block incoming mail messages that are likely to be junk mail.  While many people (including us) use DNS real-time black lists, the checks below are done against values returned by regular forward and reverse lookups on the connecting IP address.  We’ve stopped a large amount of traffic based on the name of the connecting host or due to “poorly” configured DNS without many complaints.  The number of false positives, while non-zero, have so far been at levels acceptable to us.

The first test is a sanity check of sorts on the name of the connecting host.  If no reverse lookup can be done on the IP address of the host, the message is blocked.  A forward lookup is then done on the just-returned host name.  If the forward and reverse lookups do not match, the message is blocked.

Then the hostname is checked against a regex that tries to match dial-up or home cable/DSL addresses.  If it matches that, the message is blocked.  The expectation is that this will help block the spam zombies on less than ideally maintained home machines out there.

These checks do generate false positives.  There are some domains where outgoing mail comes from hosts with no name in DNS or all hosts of the domain have names of the form ip-NNN-NNN-NNN-NNN.domain.  Some smaller companies or individuals are given addresses from their net providers of that form and are unable to change them.  Apparently many net providers think it’s a good idea to do a reverse lookup on an IP address but then not have a valid forward lookup for the just returned name.  To help with these cases, the SMTP rejection message includes a URL where one can request that their addresses be added to an exception list.

Now to numbers.  During the average day last week our SMTP server got 8719 connection requests.  The previously mentioned DNS tests resulted in the blocking of 4463 messages, or about 51% of all our incoming traffic.  Since this happens before any virus scanning or spam scanning on the content of the messages, it saves quite a bit of CPU and IO time on the server.  While this system isn’t perfect, it is so effective as a first pass filter that we put up with the few false positives that have been reported so far.

Comments

Leave a comment

Commenting is not available in this section entry.