--- On Thu, 11/17/11, Mike Grau <m.g...@kcc.state.ks.us> wrote:
> Those people checking for valid MX records for a sender's
> domain from within MIMEdefang ... is anybody checking if a
> sender's one and only MX record is a fake MX tempfailing
> service? Has anyone ever seen this type of setup for
> legitimate e-mail?
> 
> For example:
> 
> # nslookup -type=MX babe.org
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> Non-authoritative answer:
> babe.org        mail exchanger = 0  mx.fakemx.net.

I do use MD's function md_get_bogus_mx_hosts() on the sender's domain and check 
for SPF in filter_sender(), but I do not check for the rejecting-SMTP services 
at this time.  [I ignore the SPF result if the mail is delivered via SMTP AUTH 
as I consider that connection as from a trusted forwarder.]

I would be against any approach which actually contacts the server to test it 
(i.e. a callout or callback), but not against an approach which maintains a 
list of known dummy services.  As such, I know of two:

  mx.fakemx.net
  tarbaby.junkemailfilter.com

As the concept was published as part of SpamAssassin's web site 
(http://wiki.apache.org/spamassassin/OtherTricks), maybe a list of such fake 
SMTP services should be listed there.  "Tarbaby" is already mentioned.  
"Fakemx" isn't but its concept is.

One thing that I have done is to donate a hostname in my domain that is meant 
to be harvested by malicious webbots as the domain-part of bogus mailbox 
addresses.  It has address records in the RFC "example" ranges and only bogus 
MX's.  I list it with 5 mail exchangers (not in order):

  localhost.
  mx.fakemx.net.
  tarbaby.junkemailfilter.com.
  _anything_.invalid.  (replace _anything_ with some valid host name), and
  "@" (itself - to use the bogus "example" address records)

Any spammer stupid enough to try to send his spew forging this host name as the 
sender address will also face an SPF-RR "v=spf1 -all" (while those idiots still 
resolving ONLY TXT-RRs for SPF will get "v=spf1 +all").

For the webbots, I generate a mailto URL with a local-part which is a unix-time 
integer, so I know when it was harvested.  I added custom rulesets to my 
sendmail configuration to detect an all-numeric local-part and rewrite it to my 
spamtrap mailbox mailing list, which includes <s...@uce.gov> among others.


I note that md_get_bogus_mx_hosts() does NOT cover the following ranges which 
generally should not appear on the live Internet (RFC 5735):

  0.0.0.0/8 other than 0.0.0.0/32 (autoconfiguration/bootstrapping)
  192.0.2.0/24    (tests/examples/RFCs)
  192.88.99.0/24  (6to4 gateways will never source or sink mail)
  198.18.0.0/15   (benchmarks)
  198.51.100.0/24 (tests/examples/RFCs)
  203.0.113.0/24  (tests/examples/RFCs)
  248.0.0.0/5 other than 255.255.255.255/32.
and
  IPv6 addresses such as 2001:DB8::/32 (from RFC 3849).

The block 192.0.0.0/24, although mentioned in RFC 5735, is available for 
assignment to live hosts.  It is merely reserved to the IETF itself.

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to