[Mimedefang] Only MX record is fake

kd6lvw at yahoo.com kd6lvw at yahoo.com
Thu Nov 17 22:18:30 EST 2011

--- On Thu, 11/17/11, Mike Grau <m.grau at kcc.state.ks.us> wrote:
> Those people checking for valid MX records for a sender's
> domain from within MIMEdefang ... is anybody checking if a
> sender's one and only MX record is a fake MX tempfailing
> service? Has anyone ever seen this type of setup for
> legitimate e-mail?
> For example:
> # nslookup -type=MX babe.org
> Server:
> Address:
> Non-authoritative answer:
> babe.org        mail exchanger = 0  mx.fakemx.net.

I do use MD's function md_get_bogus_mx_hosts() on the sender's domain and check for SPF in filter_sender(), but I do not check for the rejecting-SMTP services at this time.  [I ignore the SPF result if the mail is delivered via SMTP AUTH as I consider that connection as from a trusted forwarder.]

I would be against any approach which actually contacts the server to test it (i.e. a callout or callback), but not against an approach which maintains a list of known dummy services.  As such, I know of two:


As the concept was published as part of SpamAssassin's web site (http://wiki.apache.org/spamassassin/OtherTricks), maybe a list of such fake SMTP services should be listed there.  "Tarbaby" is already mentioned.  "Fakemx" isn't but its concept is.

One thing that I have done is to donate a hostname in my domain that is meant to be harvested by malicious webbots as the domain-part of bogus mailbox addresses.  It has address records in the RFC "example" ranges and only bogus MX's.  I list it with 5 mail exchangers (not in order):

  _anything_.invalid.  (replace _anything_ with some valid host name), and
  "@" (itself - to use the bogus "example" address records)

Any spammer stupid enough to try to send his spew forging this host name as the sender address will also face an SPF-RR "v=spf1 -all" (while those idiots still resolving ONLY TXT-RRs for SPF will get "v=spf1 +all").

For the webbots, I generate a mailto URL with a local-part which is a unix-time integer, so I know when it was harvested.  I added custom rulesets to my sendmail configuration to detect an all-numeric local-part and rewrite it to my spamtrap mailbox mailing list, which includes <spam at uce.gov> among others.

I note that md_get_bogus_mx_hosts() does NOT cover the following ranges which generally should not appear on the live Internet (RFC 5735): other than (autoconfiguration/bootstrapping)    (tests/examples/RFCs)  (6to4 gateways will never source or sink mail)   (benchmarks) (tests/examples/RFCs)  (tests/examples/RFCs) other than
  IPv6 addresses such as 2001:DB8::/32 (from RFC 3849).

The block, although mentioned in RFC 5735, is available for assignment to live hosts.  It is merely reserved to the IETF itself.

More information about the MIMEDefang mailing list