[Mimedefang] Soliciting opinions on filtering based on bad MX records

Michael Sims michaels at crye-leike.com
Thu Sep 11 17:30:01 EDT 2003 

mimedefang-admin at lists.roaringpenguin.com wrote:
> On Thu, 11 Sep 2003, Michael Sims wrote:
>> I define a bogus MX record as one
>> that points to a non-routable address, whether this is 0.0.0.0, or a
>> loopback address, or a reserved IP address.
>
> You should also check for multicast addresses (224.x.x.x, and up, I
> believe).

Ah, thanks.  I'll see if I can track down a definite range and update my
bogus list...

>> (1) Retrieve the MX record for the sender domain.  If it doesn't
>> exist, I retrieve all A records for the sender domain.  If they
>> don't exist, I return false.
>
> Sendmail should have rejected it at that point, unless you have
> accept_unresolvable_domains on.

True, this is a "should never happen", but I always test for those anyway,
because with my luck it will eventually occur. :)

>> (2) If the MX record exists, I test it to see if it's in the format
>> of an IP address.
>
> It shouldn't be; according to the RFC's, an MX record must be a host
> name, not an IP address.

So, I could reject just on the basis that the MX points to an IP, without
bothering to check what it is.

BTW, here's an example of a real host with this type of configuration:

$ dig fairmail.com mx
...
;; QUESTION SECTION:
;fairmail.com.                  IN      MX

;; ANSWER SECTION:
fairmail.com.           69275   IN      MX      0 127.0.1.50.

>> (3) If the MX record is a hostname, I retrieve the A records for it.
>
> One wrinkle:  The MX record could point to a CNAME.  That's considered
> rude, but it does happen.  Furthermore, a malicious spammer could make
> a CNAME loop, which would make a naive testing routine fail badly.

Thanks again.  Turns out Net::DNS dumps a huge warning message to stderr
when you try to call the "address" method on a CNAME RR object.  I updated
my call to address to this:

$dnsIsBorked = 1 if ($rr->type eq 'A' && addrInSubnetHash($rr->address,
\%bogusMXs));

I'm just going to ignore CNAME's for now.  Dealing with that possibility
brings more complexity than I want to deal with at this point...

> I'd be interested to know how much mail this test would stop.  My gut
> feeling is not much.

No, I don't imagine it will stop very much at all.  I'm guessing that at my
site it may block 10-20 messages a day on average.  The main reason I really
hate this type of spam is that sendmail tries to deliver bounces to whatever
the MX eventually points to, and if it's 127.0.0.1 you get a nice "Mail
loops back to me (MX problem?)" DSN to postmaster.  That's what really
bothers me, which is why I went to all of this trouble in the first place.
:)

Thanks for the feedback...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list