[Dshield] DNS MX record block question

Bob Love bob.lists at raha.com
Fri Sep 5 23:12:37 GMT 2003


> that do not resolve to an MX record.  I said that one should
> absolutely block when the domain does not have a valid MX
> record because if you are not a valid mail server, then why are
> you sending me mail?  I'll assume

You are absolutely correct, but...

Using this method you WILL also block many valid domains. Sadly, there are
still many clueless admins out there from otherwise respectable ISPs... you
could try feeding them a spoonful of clue, but you'll spend the rest of your
life on a crusade, speaking from experience.

Better you stick to the (loosely termed) "standard" methods of relatively
open acceptance of incoming mail, with perhaps some anti-spam via MAPS,
perhaps an AV also, and the occasional emergency tweak/filter when a new
virus/worm hits...

Having said that, this is looking at it from the perspective of an ISP
(which I'm not any more, but I was) - where you need your clients to get the
*least* number of false positives in terms of blocked mail, without being
"wide open" and letting any old junk through.

In a business environment your requirements may differ, and you can afford
to be a lot stricter with your blocking in which case, not accepting mails
from servers with no (or incorrect) RDNS entries the occasional false
positive may be acceptable.

Regards

Bob







More information about the list mailing list