[Dshield] DNS MX record block question

Kenneth Porter shiva at sewingwitch.com
Tue Sep 9 18:22:30 GMT 2003

--On Tuesday, September 09, 2003 3:37 PM +0200 security at admin.fulgan.com 

>> You want to use the domain specified in the envelope, part of the
>> SMTP transaction but not a property of the initiating MTA nor
>> necessarily in any header. An MTA forwarding a message is obligated to
>> preserve the envelope sender provided by the MTA that gave it the
>> message.
> True, but it's also easy to forge that chain by adding false "Received
> from:" lines.

Hmm, I thought the envelope sender was propagated with each MTA in the SMTP 
transaction, so one doesn't have to look at the Received headers. But as 
you say, it's still commonly forged.

> Let me just illustrate this: I'm part of the developpement team of an OSS
> library of internet component for the Delphi, Kylix and CBuilder
> environements.

Nevrona Indy?

> Now, since some spammer got their hands on our library and
> used it, Spamassassin started to filter out all mail that contained our
> "Library:" header. So, we removed that header (not that it was of any
> use, anyway).

I'm assuming you posted the problem to the SA list? What did the devs there 
have to say about this? They don't seem like the kind of people who would 
try to cause collateral damage like that. Surely the same effect would 
happen to Perl and PHP mail frameworks?

> Why would you want to do that ? First, the destination server might not
> be available at the time of mail transfert (ETRN queues and secondary
> MXs).

Hence, tempfail, not permanent fail. But point taken.

> Second, it might be undesirable to have a valid reply address
> (one-way traffic). Third, the reply-to and from used by spammers are,
> most of the time, forged to be from a major EMail or network provider
> (yahoo, MSN, hotmail, aol, etc.) so you'll filter very little spam for
> all the additional work you'll be doing.

As an SA user and admin, I'd not consider this an all-or-nothing indicator, 
just another factor in the total score, like DNSBL's. No single factor will 
push a message into the spam category. And businesses can set the threshold 
high and whitelist the most egregious of their business partners, or move 
the ugly stuff to an alternate folder for some drudge to manually inspect.

More information about the list mailing list