Good day folks,
Does SJS MS 6.2 support querying DNS for MX,A,AAAA or A6 records for the domain specified in the SMTP mail from:<someone@somedomain.com>? Exim and sendmail support this measure as a means of reducing spam but I can't find the equivalent for SJS MS 6.2. mailfromdnsverify on the tcp_local channel only sets up verfication of existence of the domain itself.
Cheers
Hi,
> Does SJS MS 6.2 support querying DNS for MX,A,AAAA or
> A6 records for the domain specified in the SMTP mail
> from:<someone@somedomain.com>?
Yes for MX and A. AAAA and A6 are IPv6 records which are not yet supported in messaging server.
> Exim and sendmail
> support this measure as a means of reducing spam but
> I can't find the equivalent for SJS MS 6.2.
Support what measure to reduce spam?
> mailfromdnsverify on the tcp_local channel only sets
> up verfication of existence of the domain itself.
Yes thats correct. If the domain address is resolvable enough for delivery then mailfromdnsverify will not reject the email. Anything more is likely to end up breaking more then it fixes as I have encountered a number of valid sites that have broken DNS records in one way or another.
Regards,
Shane.
The "measure to reduce spam" is that the receiver's mail server queries the name server holding the SOA for the sender's domain for the MX or A record for that domain. If the sender's domain has no MX record and no A records, exim and sendmail refuse to accept the mail from it.
SJS MS 6.2 doesn't seem to do this - if it does, how? By rejecting e-mails from such domain addresses, a lot of spam is eliminated at the SMTP level. mailfromdnsverify just doesn't do enough.
What I have seen is that the central computing services centre at the University where I serve uses this technique to reject mail that is forwarded to its mail servers by my Faculty's mail server running MS 6.2 and I am the daily recipient, in copy, as mailadmin, of hundreds of NDRs that are being delivered to these fake addresses by MS 6.2 when the central mail servers reject the mail forwarded to them by MS 6.2. Wasting CPU time.....
I state here that I have yet to sample these NDRs for a sender's e-mail address that isn't from a domain that has just an SOA record to its name.
Cheers,
Etienne
> The "measure to reduce spam" is that the receiver's
> mail server queries the name server holding the SOA
> for the sender's domain for the MX or A record for
> that domain. If the sender's domain has no MX record
> and no A records, exim and sendmail refuse to accept
> the mail from it.
Really? That's not a feature I've ever actually heard that either of these products have. I can't imagine how it might impact performance. Badly, I strongly suspect.
>
> SJS MS 6.2 doesn't seem to do this
No, if we had to query every server that mail appears to come from, to check the validity of that mail address, we'd never be able to process mail in any quantity. I strongly doubt that any other product does as you suggest, either.
- if it does, how?
> By rejecting e-mails from such domain addresses, a
> lot of spam is eliminated at the SMTP level.
> mailfromdnsverify just doesn't do enough.
>
How about SpamAssassin?
RBL?
Greylisting?
> What I have seen is that the central computing
> services centre at the University where I serve uses
> this technique to reject mail that is forwarded to
> its mail servers by my Faculty's mail server running
> MS 6.2 and I am the daily recipient, in copy, as
> mailadmin, of hundreds of NDRs that are being
> delivered to these fake addresses by MS 6.2 when the
> central mail servers reject the mail forwarded to
> them by MS 6.2. Wasting CPU time.....
If your central systems accept mail addressed to fake users, then that's a configuration error on their part, assuming that they can know all the real users.
I have worked with many system administrators that are not allowed to reject any messages, because they are not allowed to have a complete list of all users. . .If that's the case, it's the architecture of the mail system, not the product at fault.
>
> I state here that I have yet to sample these NDRs for
> a sender's e-mail address that isn't from a domain
> that has just an SOA record to its name.
>
> Cheers,
>
> Etienne
Hi,
> The "measure to reduce spam" is that the receiver's
> mail server queries the name server holding the SOA
> for the sender's domain for the MX or A record for
> that domain. If the sender's domain has no MX record
> and no A records, exim and sendmail refuse to accept
> the mail from it.
Let's run though an example, the non-existant domain blah123.com.
bash-3.00# host blah123.com
Host blah123.com not found: 3(NXDOMAIN)
bash-3.00# host -t mx blah123.com
Host blah123.com not found: 3(NXDOMAIN)
So based on your description sendmail/exim will refuse email coming from somebody@blah123.com as it has neither an A or MX record.
> SJS MS 6.2 doesn't seem to do this - if it does, how?
> By rejecting e-mails from such domain addresses, a
> lot of spam is eliminated at the SMTP level.
> mailfromdnsverify just doesn't do enough.
Let's see how MS6.2 handles this. I added mailfromdnsverify to my tcp_intranet channel definition (imta.cnf), ./imsimta cnbuild;./imsimta restart
bash-2.05# telnet myserver 25
Trying 1.2.3.4...
Connected to myserver.sun.com.
Escape character is '^]'.
220 myserver.sun.com -- Server ESMTP (Sun Java System Messaging Server 6.2-8.01 (built Nov 27 2006))
mail from: blah@blah123.com
550 5.1.8 invalid/host-not-in-DNS return address not allowed
Seems to be working to me. The email was rejected. Do you have an example domain which doesn't work as you expected?
Regards,
Shane.
Hi Shane,
Let me take this piece by piece:
"Really? That's not a feature I've ever actually heard that either of these products have. I can't imagine how it might impact performance. Badly, I strongly suspect."
The following is an extract from the central mail servers' SMTP dialogue with my MS 6.2:
*** START MESSAGE ***
This report relates to a message you sent with the following header fields:
Message-id: <000001c73417$3ddaf380$0100007f@localhost>
Date: Tue, 09 Jan 2007 12:55:29 -0500
From: Ethan Edwards <jamminmusic.com@freakauctions.com>
To: someone@mydomain.com
Subject: What IS 0EM Software And Why D0 You Care?
Your message cannot be delivered to the following recipients:
Recipient address: eventualrecipient@mycentradomain.com
Original address: someone@mydomain.com
Reason: Remote SMTP server has rejected address
Diagnostic code: smtp;553 5.1.8 <eventualrecipient@mycentradomain.com>... Domain of sender address jamminmusic.com@freakauctions.com does not exist
Remote system: dns;centraldnsserver.mycentraldomain.com(TCP|mymailserveripaddress|62084|centra lmailserveripaddress|25) (centralmailserver.um.edu.mt ESMTP CSCMAIL/External server ready)
*** END MESSAGE ***
"No, if we had to query every server that mail appears to come from, to check the validity of that mail address, we'd never be able to process mail in any quantity. I strongly doubt that any other product does as you suggest, either"
This kind of checking is done on every message by mail servers running sendmail that host about 500 users.
-
"How about SpamAssassin?
RBL?
Greylisting?"
I think that these techniques all get past the SMTP stage - I want better handling at the SMTP stage.
-
"If your central systems accept mail addressed to fake users, then that's a configuration error on their part, assuming that they can know all the real users."
What I intended is that the mail servers reject external, incoming mail from source addresses that include domains that only have SOA records.
-
Finally, regarding the blah123.com example: this domain has no SOA record so mailfromdnsverify works in rejecting the incoming e-mail at the SMTP stage. But try these:
pipex.co.uk
fstngt.org
lists.midterme.com
com.br
net.my
-
Thanks for keeping up this discussion.
Cheers,
Etiennen
Hi,
Let's look at the example you provided of freakauctions.com
bash-3.00$ dig freakauctions.com
<snip>
;; AUTHORITY SECTION:
freakauctions.com.3554INSOAusefuldns.serenity.network. admin.serenity.network. 2 900 600 86400 3600
</snip>
bash-3.00$ host usefuldns.serenity.network.
Host usefuldns.serenity.network not found: 3(NXDOMAIN)
Looks like the authority for the domain is invalid. Chances are this should be:
bash-3.00$ host usefuldns.serenity.net.
usefuldns.serenity.net has address 64.38.205.243
So in this case it isn't that the email domain doesn't have an A/MX record, but that the authority for the domain (SOA) for the record is invalid/doesn't exist.
It is entirely possible that this is not a scenario that was considered for mailfromdnsverify rejection. I will ask the guru's in Sun and get back to you.
Regards,
Shane.
Shane, from my sampling of messages of the kind I've shown (the freakauctions.com example), it's clear to me by now that as long as MS 6.2 finds an SOA record, it's satisfied and accepts the MAIL FROM: address, regardless of whether that domain is equipped with mail exchangers or not. The point I'm trying to make is that MS 6.2 needs to be strengthened in that department because spammers have wisened up to the technique implicit in the use of the mailfromdnsverify record.
Thank you for your interest, I appreciate it.
Cheers,
Etienne
Incidentally, try pipex.co.uk. The SOA record lists auth1.dns.gxn.net as the primary name server. This host has an A record and it shows 195.224.255.2 as the IP address of this host. So really if mail from an address at this domain was rejected by the central mail servers, it wasn't on the basis of an inexistent A record.
Cheers,
Etienne
Here's an extract from http://www.sendmail.org/doc/sendmail-current/cf/README that might help Jay weaken his doubt.
accept_unresolvable_domains
Normally, MAIL FROM: commands in the SMTP session will be
refused if the host part of the argument to MAIL FROM:
cannot be located in the host name service (e.g., an A or
MX record in DNS). If you are inside a firewall that has
only a limited view of the Internet host name space, this
could cause problems. In this case you probably want to
use this feature to accept all domains on input, even if
they are unresolvable.
Hi,
I discussed this issue with the developer.
When using the mailfromdnsverify channel keyword, messaging server currently only verifies whether the A record exists. If the A record is empty (as is the case here) we *assume* the MX record exists and move on. This has been sufficient to stop guessed/random domains till now but as spammers become more ... well annoying in their efforts, this mechanism is not rejecting as many emails as it could.
The mechanism was implemented this way to reduce the number of DNS searches mailfromdnsverify causes (and thus improve mail throughput).
Improving the mechanism isn't a priority at the moment.. although it COULD be if customers request it. So please log a Sun support case asking for improvements to be made (quoting your existing examples). The more customers that ask for it the higher the chances of it being improved.
Regards,
Shane.
OK Shane, I'll do so.
Before closure of this issue, for accuracy's sake: you write "currently only verifies whether the A record exists"; I'll run a packet sniffer test on the mail server's output to inspect whether MS 6.2 checks for the A record after checking for the SOA record of the sender's domain and then I'll post back.
Cheers,
Etienne
