[Dshield] DNS MX record block question

Jon R. Kibler Jon.Kibler at aset.com
Fri Sep 5 23:26:49 GMT 2003


Richard:

In a word... DON'T!!

If you block based on missing MX records, you will lose A LOT of legit email. Besides, you would be violating the RFCs (don't remember which one off the top of my head) to do so.

How mail deliver works (or at least should):
   1) MTA builds a list of MX records:
      a) MTA tries to send to host with lowest preference
      b) If mail accepted, you're done
      c) If perm fail (DSN=5.x.y), you're done
      d) If temp fail (DSN=4.x.y), try next MX on list
      e) If temp fail on last MX, queue for later retry (some MTAs will first try to pretend there were no MX records)
   2) If no MX records:
      a) MTA tries to send to the EXACT HOSTNAME following "@" in recipient's email address
      b) If mail accepted, you're done
      c) If perm fail, you're done
      d) If temp fail, queue for later retry

There are variations and exceptions to the above (for example, if you have a FallBack local MTA), but that is the basic way mail is supposed to work.

There are far better ways to block spam, etc. Contact me off-list if you would like some ideas...

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA



Richard Roy wrote:
> 
> A coworker of mine was debating the point of blocking mail from domains
> where there is not a valid MX record .  His point was that he any mail
> client could send mail, in fact he would write one rather quickly in vb
> or something, and that, by default one should not reject connections
> that do not resolve to an MX record.  I said that one should absolutely
> block when the domain does not have a valid MX record because if you are
> not a valid mail server, then why are you sending me mail?  I'll assume
> you are a virus with a mailer engine on someone's pc.  Is that a fair
> assumption or paranoid assumption?
> I told him I'd like him to try it ( I only have one machine allowed
> in/out on port 25 on his network).  I'm curious do most folks drop mail
> where there is no valid MX record?  Anyone have a reference (white paper
> or rfc or something) that would explain why or why/not?
> Sorry if it is OT please respond off list if it is.
> 
> Thanks
> 
> Rich
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list