Devin Reade wrote: > Ljubomir Ljubojevic <office at plnet.rs> wrote: > >> I use it too. Reverse-DNS check is best SPAM repellent there is. Only >> mail from properly set mail servers is accepted. > > That's fine if your check is that a reverse DNS entry exists, > or that the HELO/ELHO exists in forward DNS or, if your MTA is > smart enough, it does a reverse-forward* check, but if > you only check that the HELO/ELHO matches the reverse entry > then you're blocking a bunch of valid mailers because there is > no specification requirement that those two match (and they don't > in the general case). > > (*) reverse-forward here means do a reverse lookup on the connecting > IP, then doing a forward lookup on the result, and then ensure that > original IP is one of the 'A' records resolved from the forward > lookup. > > Devin I only check reverse DNS entry for FQDN, I think HELO/EHLO is not checked. Ljubomir