Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - yet another MX record query
  FAQ FAQ  Forum Search   Register Register  Login Login

yet another MX record query

 Post Reply Post Reply
Author
AmirSachs View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote AmirSachs Quote  Post ReplyReply Direct Link To This Post Topic: yet another MX record query
    Posted: 13 June 2006 at 6:46am
Hi,
i have read the threads regarding the MX record and DNS issues, but still don't understand this. I have pasted below extract from the log and message headers. the second log extract shows exactly the same behaviour but from a different host.
 
The email is being sent from @za.verizonbusiness.com which has valid MX records. Why does logsat report that the email is from "EMail from dnsar@mx01.uunet.co.za" (4th line on the log), and why is it considered to be spam?
 
The options "reject if no reverse dns" and "reject if sender domain has invalid MX record" are selected.
Surely the "reject if sender domain has no invalid mx record" isn't true here, as is evident from a nslookup for za.verizonbusiness.com.
 
the most peculiar thing here is the return-path, where does this value come from, and why is spamfilter checking against this value as opposed to the sender value?
 
Thanks for your assistance
 
Amir
 
Here are extracts from the logfile:
06/13/06 09:57:30:375 -- (2700) Connection from: 196.31.48.143  -  Originating country : South Africa
06/13/06 09:57:30:578 -- (2700) Resolving 196.31.48.143 - mx01.uunet.co.za
06/13/06 09:57:30:640 -- (2700) - Invalid MX record -
06/13/06 09:57:30:640 -- (2700) 196.31.48.143 - Mail from: dnsar@mx01.uunet.co.za To: julian@???????.??? will be spam-tagged
06/13/06 09:57:30:703 -- (2700) EMail from dnsar@mx01.uunet.co.za to julian@?????????.??? was queued. Size: 1 KB, 1024 bytes
06/13/06 09:57:30:703 -- (2108) Sending email from dns-admin@za.verizonbusiness.com to julian@????????.???
06/13/06 09:57:30:750 -- (1932) Time to add Msg to Bayes corpus:0
06/13/06 09:57:30:781 -- (2700) Blacklist cache - Added 196.31.48.143 to limbo
06/13/06 09:57:30:781 -- (2700) Disconnect
06/13/06 09:57:32:375 -- (2108) EMail from dns-admin@za.verizonbusiness.com to julian@??????????.???  was forwarded to 000.00.00.00:25
 

06/13/06 09:59:56:546 -- (2300) Connection from: 206.223.136.195  -  Originating country : South Africa
06/13/06 09:59:56:781 -- (2300) Resolving 206.223.136.195 - ns0.coza.net.za
06/13/06 09:59:56:828 -- (2300) - Invalid MX record -
06/13/06 09:59:56:828 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxx@???????.??? will be spam-tagged
06/13/06 09:59:56:875 -- (2300) - Invalid MX record -
06/13/06 09:59:56:875 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxxx@???????.??? will be spam-tagged
06/13/06 09:59:57:078 -- (2300) EMail from coza@ns0.coza.net.za to xxxxxxx@?????????.???, xxxxx@?????????.??? was queued. Size: 2 KB, 2048 bytes
06/13/06 09:59:57:078 -- (2188) Sending email from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.???
06/13/06 09:59:57:125 -- (1932) Time to add Msg to Bayes corpus:0
06/13/06 09:59:58:859 -- (2188) EMail from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.???  was forwarded to 000.00.00.00:25
06/13/06 10:00:01:203 -- (2300) Blacklist cache - Added 206.223.136.195 to limbo
06/13/06 10:00:01:203 -- (2300) Disconnect

The message headers are:
Reply-To: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com>
From: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com>
To: <julian@????????????>
Subject: {SPAMF} Your message to dns-admin@za.verizonbusiness.com
Date: Tue, 13 Jun 2006 09:56:30 +0200
Message-ID: <200606130756.k5D7uUFK079027@mx01.uunet.co.za>
MIME-Version: 1.0
Content-Type: text/plain;
 charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcaOvtQZhSIvggmbQ2alW7MHQ9gE+Q==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <dnsar@mx01.uunet.co.za> SIZE=2594
X-SF-HELO-Domain: mx01.uunet.co.za
X-SF-SPAM: Y
 
* This is an automated response *
 
Thank you for contacting the Verizon Business Customer Service Centre.
 
This auto-response confirms that we have received your DNS query.
 
Back to Top
lyndonje View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2006
Location: United Kingdom
Status: Offline
Points: 192
Post Options Post Options   Thanks (0) Thanks(0)   Quote lyndonje Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2006 at 8:42am
The SMTP MAIL FROM and Email Header From: field's do not have to be the same and therefore can be different.

SF does the MX record check on the SMTP MAIL FROM address, which is being passed by the sending server as dnsar@mx01.uunet.co.za. SF is correctly detecting that mx01.uunet.co.za indeed has no MX records.

The SMTP MAIL FROM address is normally used for bounce backs and return paths, this is more of a 'technical' address which is lost as soon as an email reached the destination mailbox, hence why SF adds the:

X-SF-RX-Return-Path: <dnsar@mx01.uunet.co.za> SIZE=2594.

header for debuging.

The Email Header From: field is more cosmetic and is what the recipients mail client uses to display the senders information, and reply to unless a Reply-To header is specified.

Although the two fields can be different, the majority of the time they are the same.

From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record?

Ultimately, with this setting enabled, emails from such sources will be rejected, and I don't believe there is anything you can do, other than to whitelist these addresses, convince the senders/ISP to create an MX record for the domain being used in the SMTP MAIL FROM field, disable the rule.
Back to Top
AmirSachs View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote AmirSachs Quote  Post ReplyReply Direct Link To This Post Posted: 14 June 2006 at 5:50pm
Thanks for clarifaying that.
 
> From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record?
 
in the process of testing we are tagging the mail, and then forwarding to the mail server, which then places it in the users spam folder. it is the users responsibility to check their spam folders for false positives.
 
HOWEVER - On the subject of DNS.
We have very (but i mean very) slow to respond DNS servers from our ISP. How can we cause spamfilter to cache dns entries? we recieve a lot of emails from local smtp servers, and we often see that at busy periods spamfilters is unable to resolve an ip, which it resolved a few minutes ago.
Does anybody know of a way to speed up the windows 2000 dns service perhaps?
 
Thanks once more for your assistance.
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 15 June 2006 at 3:47am

try entering DNS ip's from another (faster reacting) ISP



Edited by Marco
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
AmirSachs View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote AmirSachs Quote  Post ReplyReply Direct Link To This Post Posted: 15 June 2006 at 8:27am

Marco - thanks for the advice.

We obviously tried that, but it seems that DNS is slooowww in South Africa.

Can SpamFilter cache DNS entries, in a similar way it does the blacklisted ips? would be a great feature and will reduce the load on cpu/ram as well as traffic.

 

Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 15 June 2006 at 10:03am
maybe setting up your own DNS server is an option?
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 15 June 2006 at 10:07am

Buy a DNS server and install it locally. We use SimpleDNS and it has the ability to cache and you can set the hours/days. I'm sure there are other 3rd party DNS servers that do caching as well.

Spam filtering is VERY DNS intense and not having a fast local DNS server would be a liability.

http://www.webguyz.net
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 15 June 2006 at 5:34pm
I use the built in Windows 2000/2003 DNS server on the same machine as SpamFilter and set it as a cache only server.  I then point SpamFilter to that DNS with my internal DNS servers after that.   I reset the cache however every 1:00am with a scheduled task with net stop and net start DNS commands.  Has always worked well for me.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.133 seconds.