[KoRn]

Every company should host their own DNS servers anyway. Not clearly stated by the article, is that an email firewall will do reverse DNS lookups on incoming messages to verify they are coming from where they claim they are in the message header.

If the reverse lookup goes unresolved the message is rejected. I've seen spammers change their domains as much as 4 times per day attempting to prevent being blacklisted by our firewall/filter.

Our company gets about 5,000 emails per day and about 2,700 of them are dropped because they are either spam or contain viri. I sometimes run a tail -f on the maillog file to watch them die in real time lol.

[general_re]

Not clearly stated by the article, is that an email firewall will do reverse DNS lookups on incoming messages to verify they are coming from where they claim they are in the message header.

Unless you default to automatically dropping everything your DNS machine can't resolve on its own, that doesn't fix the problem of hammering DNS boxes farther up the heirarchy.

[taxcontrol]

It is these reverse lookups that are overloading the ISPs. I properly constructed business would, like you said, have their own DNS server to do a local lookup against.

However, what about the ISP's email servers? Add to that the load from business that are too small to have their own mail servers or DNS servers and you can see that there can be a significant load on the DNS servers.

Ideally, you would have an email filtering bastion host (email relay server) that would locally store the current DNS table. That way it could locally check the emails for a valid dns name prior to passing on to the internal email server. It could also do the scanning for viruses as well as blacklisted domains, pre and post tagging, etc.

[dfrussell]

Reverse lookups are not a good idea because many people use return email addresses not associated with the sending IP. A good example is all the people with yahoo/hotmail IDs and sending email out from their place of employment.