[Mimedefang] Only MX record is fake
kd6lvw at yahoo.com
kd6lvw at yahoo.com
Thu Nov 17 22:18:30 EST 2011
--- On Thu, 11/17/11, Mike Grau <m.grau at kcc.state.ks.us> wrote:
> Those people checking for valid MX records for a sender's
> domain from within MIMEdefang ... is anybody checking if a
> sender's one and only MX record is a fake MX tempfailing
> service? Has anyone ever seen this type of setup for
> legitimate e-mail?
> For example:
> # nslookup -type=MX babe.org
> Server: 127.0.0.1
> Address: 127.0.0.1#53
> Non-authoritative answer:
> babe.org mail exchanger = 0 mx.fakemx.net.
I do use MD's function md_get_bogus_mx_hosts() on the sender's domain and check for SPF in filter_sender(), but I do not check for the rejecting-SMTP services at this time. [I ignore the SPF result if the mail is delivered via SMTP AUTH as I consider that connection as from a trusted forwarder.]
I would be against any approach which actually contacts the server to test it (i.e. a callout or callback), but not against an approach which maintains a list of known dummy services. As such, I know of two:
As the concept was published as part of SpamAssassin's web site (http://wiki.apache.org/spamassassin/OtherTricks), maybe a list of such fake SMTP services should be listed there. "Tarbaby" is already mentioned. "Fakemx" isn't but its concept is.
One thing that I have done is to donate a hostname in my domain that is meant to be harvested by malicious webbots as the domain-part of bogus mailbox addresses. It has address records in the RFC "example" ranges and only bogus MX's. I list it with 5 mail exchangers (not in order):
_anything_.invalid. (replace _anything_ with some valid host name), and
"@" (itself - to use the bogus "example" address records)
Any spammer stupid enough to try to send his spew forging this host name as the sender address will also face an SPF-RR "v=spf1 -all" (while those idiots still resolving ONLY TXT-RRs for SPF will get "v=spf1 +all").
For the webbots, I generate a mailto URL with a local-part which is a unix-time integer, so I know when it was harvested. I added custom rulesets to my sendmail configuration to detect an all-numeric local-part and rewrite it to my spamtrap mailbox mailing list, which includes <spam at uce.gov> among others.
I note that md_get_bogus_mx_hosts() does NOT cover the following ranges which generally should not appear on the live Internet (RFC 5735):
0.0.0.0/8 other than 0.0.0.0/32 (autoconfiguration/bootstrapping)
184.108.40.206/24 (6to4 gateways will never source or sink mail)
248.0.0.0/5 other than 255.255.255.255/32.
IPv6 addresses such as 2001:DB8::/32 (from RFC 3849).
The block 192.0.0.0/24, although mentioned in RFC 5735, is available for assignment to live hosts. It is merely reserved to the IETF itself.
More information about the MIMEDefang