--- On Thu, 11/17/11, Mike Grau <m.g...@kcc.state.ks.us> wrote: > Those people checking for valid MX records for a sender's > domain from within MIMEdefang ... is anybody checking if a > sender's one and only MX record is a fake MX tempfailing > service? Has anyone ever seen this type of setup for > legitimate e-mail? > > For example: > > # nslookup -type=MX babe.org > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > babe.org mail exchanger = 0 mx.fakemx.net.
I do use MD's function md_get_bogus_mx_hosts() on the sender's domain and check for SPF in filter_sender(), but I do not check for the rejecting-SMTP services at this time. [I ignore the SPF result if the mail is delivered via SMTP AUTH as I consider that connection as from a trusted forwarder.] I would be against any approach which actually contacts the server to test it (i.e. a callout or callback), but not against an approach which maintains a list of known dummy services. As such, I know of two: mx.fakemx.net tarbaby.junkemailfilter.com As the concept was published as part of SpamAssassin's web site (http://wiki.apache.org/spamassassin/OtherTricks), maybe a list of such fake SMTP services should be listed there. "Tarbaby" is already mentioned. "Fakemx" isn't but its concept is. One thing that I have done is to donate a hostname in my domain that is meant to be harvested by malicious webbots as the domain-part of bogus mailbox addresses. It has address records in the RFC "example" ranges and only bogus MX's. I list it with 5 mail exchangers (not in order): localhost. mx.fakemx.net. tarbaby.junkemailfilter.com. _anything_.invalid. (replace _anything_ with some valid host name), and "@" (itself - to use the bogus "example" address records) Any spammer stupid enough to try to send his spew forging this host name as the sender address will also face an SPF-RR "v=spf1 -all" (while those idiots still resolving ONLY TXT-RRs for SPF will get "v=spf1 +all"). For the webbots, I generate a mailto URL with a local-part which is a unix-time integer, so I know when it was harvested. I added custom rulesets to my sendmail configuration to detect an all-numeric local-part and rewrite it to my spamtrap mailbox mailing list, which includes <s...@uce.gov> among others. I note that md_get_bogus_mx_hosts() does NOT cover the following ranges which generally should not appear on the live Internet (RFC 5735): 0.0.0.0/8 other than 0.0.0.0/32 (autoconfiguration/bootstrapping) 192.0.2.0/24 (tests/examples/RFCs) 192.88.99.0/24 (6to4 gateways will never source or sink mail) 198.18.0.0/15 (benchmarks) 198.51.100.0/24 (tests/examples/RFCs) 203.0.113.0/24 (tests/examples/RFCs) 248.0.0.0/5 other than 255.255.255.255/32. and IPv6 addresses such as 2001:DB8::/32 (from RFC 3849). The block 192.0.0.0/24, although mentioned in RFC 5735, is available for assignment to live hosts. It is merely reserved to the IETF itself. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang