[Dshield] DNS MX record block question

Bob Love bob.lists at raha.com
Sat Sep 6 01:24:55 GMT 2003


> Richard:
>
> In a word... DON'T!!
>
> If you block based on missing MX records, you will lose A LOT of legit
email. Besides, you would be violating the RFCs (don't remember which one
off the top of my head) to do so.

Actually yes, Jon is correct.

MX records define where a service will ACCEPT mail, not necessarily where
the mail's coming FROM (many providers use a sepearate machine for sending,
than they do for their receiving side).

Where I was confused, and probably confused you in my reply, was with RDNS
(reverse DNS).

Some mailservers have the option to configure them not to accept mail from
incorrectly assigned rdns entries. In other words, your server gets a mail
from someone at somewhere.com, looks up the IP it's receiving it from, and
discovers that the IP is somehost.somewhereelse.com so it rejects it. This
is a perfectly valid thing to do... since Jon's already mentioned RFC's, I
believe there's also an (widely ignored) RFC which states that a sending
mailserver must have a valid rdns record pointing to the domain it's coming
from.

However, you have a problem. Many providers (especially hosting providers)
will send all their mail from one machine, but "from" a variety of domains.
Chances are, you lookup the rdns of the ip you're getting the mail from,
you'll get told it's from whatever hosting company, NOT necessarily the
domain it's from. This is where you'll get false positivies using this
method. Frankly, you'll get a *lot* of false positives using this method,
because rdns is very commonly misconfigured.

Having said all that...

I'd tend to agree with you that it's still reasonably valid, to reject mail
if the sending domain doesn't have an MX record at all. To my mind, if it
doesn't have an MX record the mail's 99.999% likely to be spam, since it's
impossible to "reply" to. There are a few exceptions to this (for example,
the mail's "from" a domain with no MX but the reply-to header is a valid
domain/mailbox) but again, since there are very few valid reasons for
sending mail in this fashion, you're unlikely to block a legitimate mail.

Regards

Bob





More information about the list mailing list