[Mimedefang] Soliciting opinions on filtering based on bad MX records
Michael Sims
michaels at crye-leike.com
Thu Sep 11 17:30:01 EDT 2003
mimedefang-admin at lists.roaringpenguin.com wrote:
> On Thu, 11 Sep 2003, Michael Sims wrote:
>> I define a bogus MX record as one
>> that points to a non-routable address, whether this is 0.0.0.0, or a
>> loopback address, or a reserved IP address.
>
> You should also check for multicast addresses (224.x.x.x, and up, I
> believe).
Ah, thanks. I'll see if I can track down a definite range and update my
bogus list...
>> (1) Retrieve the MX record for the sender domain. If it doesn't
>> exist, I retrieve all A records for the sender domain. If they
>> don't exist, I return false.
>
> Sendmail should have rejected it at that point, unless you have
> accept_unresolvable_domains on.
True, this is a "should never happen", but I always test for those anyway,
because with my luck it will eventually occur. :)
>> (2) If the MX record exists, I test it to see if it's in the format
>> of an IP address.
>
> It shouldn't be; according to the RFC's, an MX record must be a host
> name, not an IP address.
So, I could reject just on the basis that the MX points to an IP, without
bothering to check what it is.
BTW, here's an example of a real host with this type of configuration:
$ dig fairmail.com mx
...
;; QUESTION SECTION:
;fairmail.com. IN MX
;; ANSWER SECTION:
fairmail.com. 69275 IN MX 0 127.0.1.50.
>> (3) If the MX record is a hostname, I retrieve the A records for it.
>
> One wrinkle: The MX record could point to a CNAME. That's considered
> rude, but it does happen. Furthermore, a malicious spammer could make
> a CNAME loop, which would make a naive testing routine fail badly.
Thanks again. Turns out Net::DNS dumps a huge warning message to stderr
when you try to call the "address" method on a CNAME RR object. I updated
my call to address to this:
$dnsIsBorked = 1 if ($rr->type eq 'A' && addrInSubnetHash($rr->address,
\%bogusMXs));
I'm just going to ignore CNAME's for now. Dealing with that possibility
brings more complexity than I want to deal with at this point...
> I'd be interested to know how much mail this test would stop. My gut
> feeling is not much.
No, I don't imagine it will stop very much at all. I'm guessing that at my
site it may block 10-20 messages a day on average. The main reason I really
hate this type of spam is that sendmail tries to deliver bounces to whatever
the MX eventually points to, and if it's 127.0.0.1 you get a nice "Mail
loops back to me (MX problem?)" DSN to postmaster. That's what really
bothers me, which is why I went to all of this trouble in the first place.
:)
Thanks for the feedback...
___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
More information about the MIMEDefang
mailing list