Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Check valid MX record on receive
  FAQ FAQ  Forum Search   Register Register  Login Login

Check valid MX record on receive

 Post Reply Post Reply Page  <12
Author
Matt R View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Matt R Quote  Post ReplyReply Direct Link To This Post Posted: 02 December 2004 at 9:11pm

The answer to your question is simple, an MX record is not required in order to receive email!  MX records point to email for the domain.  So, if SpamFiltered worked properly and checked the domain it would not cause the enourmous false positives that this feature causes. 

No big deal, though, just another of many empty checkbox in the program representing illogical cryptic capability.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 01 December 2004 at 10:39am

NO ... not every *host* that sends email requires an MX record ... Every *domain* that email claims to have a return path to (ie the FROM address) needs to have an MX record otherwise, how can you mail back if there is no existing exchanger?  If there is no mail exchanger, the why did the user *claim* to have a return address from a domain that can't be answered to?

SPF is totaly different.  SPF maks sure that the domain the mail is claiming to be from is allowed to mail from the IP it came from.

Dan S.

Back to Top
Matt R View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Matt R Quote  Post ReplyReply Direct Link To This Post Posted: 30 November 2004 at 10:50pm

Every host that sends email must have a MX record ?  Great, then you don't need SPF!   I think if you're going to run a cryptic operation like that you would be better served by a product that does strictly user managed whitelisting only and rejects everything else.  That's really where you are going with a feature like this.  I know, I know, we can just turn the misguided feature off.

My problem is that I did not believe in a thousand years that this feature could have been implemented as such requiring every host to have an MX record.  I figured that verifying the the sending domain INCLUDED an MX record was an intelligent way to filter some spam. That way if the domain had no MX record we could say there is a problem with the domain and justify not accepting the email.  To turn this into a cryptic feature that requires every host to have an MX record is simply going to block lots of good email.  Users beware! 

-Matt

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 23 November 2004 at 10:17am

However,

If the "FROM" is something like reply@listserver.domain.net  then listserver.domain.net  should have an MX record to cover a valid return path and therefore no problem will exist. In this case, listserver.domain.net is, as you state a host BUT it is also a sub-domain so that the zone file might look like the following real example friom my dns server:

Domain = imeanit.com

@  TXT ( "v=spf1 ip4:66.181.192.0/20 ip4:216.244.114.0/27 a ptr mx  -all" )
bounce  A 66.181.193.110
MX 10 mail.bounce.imeanit.com.
mail.bounce A 66.181.193.110

Where the listserver "FROM" address is campID.userID@bounce.imeanit.com

When SpamFilter dows and MX lookup:

Query Type:  Mail Exchanger(s)
Query Value: bounce.imeanit.com

Mail Exchanger 1:   Pref. 10  mail.bounce.imeanit.com

   ip addr 1:   66.181.193.110

And it goes through just fine.  We have many customers set up with list servers and they do not get blocked as Spam for the MX lookup.

Regards,

Dan S.

Back to Top
Matt View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Matt Quote  Post ReplyReply Direct Link To This Post Posted: 22 November 2004 at 6:21pm

I thought the purpose of this was to block ONLY spam.  New features that are designed to block valid email, seem like a flaw to me.

The problem here is the term subdomain (as so many other terms used on the Internet) is defined many different ways.  For the purpose of DNS, though, a subdomain MUST contain at least one entry in it's own zone record or it is not a subdomain, it is merely a host record in a subdomain.  

This means that if I define listserver.domain.net as a host record in domain.net DNS zone record AND even have it listed as an MX record in domain.net AND I can send and receive email to and from this legitimate list server, I still get rejected by Logsat!  This is a common scenario and there are many valid and proper uses for sending and receiving email from a host in legitimate DNS zone. 

So, if you use this feature you are GUARANTEED valid wanted email gets rejected in addition to invalid unwanted email.

- Matt

 

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 3953
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 19 November 2004 at 5:01pm
As Dan correctly replied, no, we do not check for the A record. Thru research, we've seen that a large number of the spam that the MX record filter stops, is sent from domains that do have an A record. If we were to check for that, the filter would have let the email thru.

Please note that the A record for a domain will most likely be there if the domain in the email exists, so checking for that to be present would practically just mean that we'd be checking only to see if the domain exists or not. We want to do more, and verifying the actual presence of the MX record has proven to be very effective.

If valid domains without an MX record are found, we strongly urge administrators to notify the owners/admins of those domain to inform them that they should really get with the times and properly configure their DNS.

There is no RFC that states that an email server should not be an open relay, however as we often mention some RFCs are dinosaurs, and need to get a face lift. Anyone who will say "the RFC says I don't need to close my mail server relay" will quickly appear on internet blacklists, and his mail server exploited. The MX record presence issue is very similar. It does *not* have to be there, but most administrators know that they really should have one to avoid problems.

Roberto F. LogSat Software
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 19 November 2004 at 1:18pm

No, it does not and I agree with LogSat that it should not as the rfc does not state that a mail server *must* send to a A record if MX is not present ... only that it *should*.   In my opinion, no MX is an omission from DNS and if you really have a mail server then you should insist that the DNS administrator puts an MX record in.  A good argument for this is that most web sites can be hit with either http://www.domain.com or just simply domain.com ... using a "blank" A record.  As a result of this, we always put in an MX record and if no mail server exists, then it is pointed to a server that simply nulls out all inbound mail.  This way, none of our customers web servers are getting hit with mail attempts that should not go there.

I have recently modified my Sendmail server to *only* deliver to a valid MX record and not attempt to deliver to a simple A record.

Dan S.

Back to Top
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Posted: 19 November 2004 at 11:21am

does spamfilter check for an A record if no MX record is found?
If not, this would be helpful.

 

Thanks.

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 3953
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 18 November 2004 at 6:59pm
Wes,

While technically per RFC2821 domains are not *required* to have an MX record, the RFC was written back in the days where spam was a non-issue. Nowdays things are different. Most administrators should be aware that a properly configured DNS should include one or more MX records for their email system, just like properly configured and legitimate server should have a reverse DNS entry.

It would appear surprising that fema.gov does not have an MX record. However that not their only problem. If you check their DNS, you will find that they have an A record for fema.gov, 166.112.200.200. The RFC states that if the MX records is not present, mails servers should use that instead. As of right now, there is no mail server listening on that IP address, it is not a valid mail server (or it's having technical problems at the moment).

To summarize, at this moment any email address in the form user@fema.gov is an invalid address, since the domain does not have a mail server. Please note that this may change if they are indeed having technical issues.

The other domain you mention, mil.gov, does not appear to have a DNS entry at all, so it too will not be able to receive email right now.

Roberto F. LogSat Software

Back to Top
BigDog View Drop Down
Newbie
Newbie


Joined: 26 January 2005
Location: United States
Status: Offline
Points: 11
Post Options Post Options   Thanks (0) Thanks(0)   Quote BigDog Quote  Post ReplyReply Direct Link To This Post Posted: 18 November 2004 at 4:12pm

Ok, this did seem good and I am stopping a lot of spam but I am getting a lot of messages rejected from server like mil.gov and fema.gov; also just about every list server that I have user on are also getting mail bounced due to checking for valid MX record.  I am being force to turn this option off. 

Not all valid out going email servers will have valid MX records, while this check does knock out some spam, is it worth losing one valid email message for every 500 messages that are spam?  

Back to Top
 Post Reply Post Reply Page  <12
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.125 seconds.

Spam Filter ISP - Copyright © 2002-2013 LogSat Software LLC - PO BOX 916340 Longwood, FL 32791 USA

 Sales: sales@LogSat.com - Support: support@LogSat.com - Tel. (sales only): +1 407-650-3008