[Dshield] DNS MX record block question

Jon R. Kibler Jon.Kibler at aset.com
Sat Sep 6 17:30:26 GMT 2003


I am combining replies to several of the posts on this topic. Please see comments inserted below.

Brian Dessent wrote:
> I think everyone is misunderstanding.  No one is talking about checking
> to see if the sending machine is a MX.  We're talking about checking the
> envelope-from address to ensure that the listed domain has an MX record,
> i.e. don't receive mail from 'foo at fsldkfgjsdjh.com' or any other
> nonsense domain.  (This of course just motivates spammers to joe job
> more often, but such is the modern internet.)

Most mail servers will reject mail from envelope-sender domains that do not exist. For example, this is the default configuration for sendmail (at least 8.11.x and above). If this is not turned on by default, the mail admin should turn it on.

That said, you have to keep in mind that relatively few envelope-sender addresses have invalid domains compared to the number of invalid domains in headers (From:, Reply-To:, Return-Path:, ad nauseium).

If you want to check to see if a domain is legit, simply do a forward lookup of the domain name; that will tell you whether the domain exists -- and it can still send and receive email WITHOUT having an MX record.


Lauro, John wrote:
> Lots of places don't have MX records.  You only need an MX record if
> the mail host is different then the A record, or if you want to
> specify secondary hosts if your primary is down.

I agree 100%.  From our experience, probably about 1/5th of all legitimate domains running legitimate mail servers do NOT have MX records defined.


Doug White wrote:
> look at www.rfcignorant.org

RFCignorant.org is a great site, but IMHO, only their DSN (Delivery Status Notice) list is practical for use as a DNSBL. 

Why? You would be amazed at the number of BIG organizations that do not have workable 'postmaster' and 'abuse' email addresses, or have out of date Domain or IP WhoIs data. If you use those lists, you will block a HUGE amount of legit email. 

That said, the DSN list is really great. We get a couple of hits a day that block mail from sources that do not have working (read... 'compliant') mail servers, but are not blocked by our other checks.


David Hart wrote:
> Jim discussed the the various forms of EHLO recognition.

You have to be VERY careful if you want to do HELO or EHLO checks. For example, sendmail has the PICKY_HELO_CHECK option. I made the 'mistake' of turning it on one time. About 90% of all SMTP/ESMTP connections resulted in 'Host [real name] claimed to be [HELO/EHLO name]' exceptions (that is, the two names were not in agreement). Somewhere around 2/3rds of all connections from legit sources even had this problem. Needless to say, I didn't use that option for very long!


Tom Laermans wrote:
> Why exactly would you be violating any rfc? It's your mailserver, you 
> decide what you accept and what you don't (excepting mail to postmaster@ 
> and info@).

There are somewhere between two and three dozen RFCs that specify how 'compliant' mail systems should work. These RFCs exist to ensure that legitimate mail servers can deliver mail between otherwise incompatible systems. If you violate the RFCs, then you probably will lose a lot of legit email.

Yes, you are perfectly free to say from whom you do or do not wish to receive email, but you should do so within the bounds set by the RFCs if you expect a reasonable chance of receiving mail that you really want/need.

Finally, the 'REQUIRED' email addresses for ALL DOMAINS are 'postmaster' and 'abuse' -- 'info' is not required. See RFC 2142. (Again, you would be amazed how many MAJOR domains are in violation of RFC 2142!)



Well, that's my $0.035 worth! Hope it helps.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA


> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list