yet another MX record query |
Post Reply |
Author | |
AmirSachs
Guest Group |
Post Options
Thanks(0)
Posted: 13 June 2006 at 6:46am |
Hi,
i have read the threads regarding the MX record and DNS issues, but still don't understand this. I have pasted below extract from the log and message headers. the second log extract shows exactly the same behaviour but from a different host.
The email is being sent from @za.verizonbusiness.com which has valid MX records. Why does logsat report that the email is from "EMail from dnsar@mx01.uunet.co.za" (4th line on the log), and why is it considered to be spam?
The options "reject if no reverse dns" and "reject if sender domain has invalid MX record" are selected.
Surely the "reject if sender domain has no invalid mx record" isn't true here, as is evident from a nslookup for za.verizonbusiness.com.
the most peculiar thing here is the return-path, where does this value come from, and why is spamfilter checking against this value as opposed to the sender value?
Thanks for your assistance
Amir
Here are extracts from the logfile:
06/13/06 09:57:30:375 -- (2700) Connection from: 196.31.48.143 - Originating country : South Africa
06/13/06 09:57:30:578 -- (2700) Resolving 196.31.48.143 - mx01.uunet.co.za 06/13/06 09:57:30:640 -- (2700) - Invalid MX record - 06/13/06 09:57:30:640 -- (2700) 196.31.48.143 - Mail from: dnsar@mx01.uunet.co.za To: julian@???????.??? will be spam-tagged 06/13/06 09:57:30:703 -- (2700) EMail from dnsar@mx01.uunet.co.za to julian@?????????.??? was queued. Size: 1 KB, 1024 bytes 06/13/06 09:57:30:703 -- (2108) Sending email from dns-admin@za.verizonbusiness.com to julian@????????.??? 06/13/06 09:57:30:750 -- (1932) Time to add Msg to Bayes corpus:0 06/13/06 09:57:30:781 -- (2700) Blacklist cache - Added 196.31.48.143 to limbo 06/13/06 09:57:30:781 -- (2700) Disconnect 06/13/06 09:57:32:375 -- (2108) EMail from dns-admin@za.verizonbusiness.com to julian@??????????.??? was forwarded to 000.00.00.00:25 06/13/06 09:59:56:546 -- (2300) Connection from: 206.223.136.195 - Originating country : South Africa 06/13/06 09:59:56:781 -- (2300) Resolving 206.223.136.195 - ns0.coza.net.za 06/13/06 09:59:56:828 -- (2300) - Invalid MX record - 06/13/06 09:59:56:828 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxx@???????.??? will be spam-tagged 06/13/06 09:59:56:875 -- (2300) - Invalid MX record - 06/13/06 09:59:56:875 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxxx@???????.??? will be spam-tagged 06/13/06 09:59:57:078 -- (2300) EMail from coza@ns0.coza.net.za to xxxxxxx@?????????.???, xxxxx@?????????.??? was queued. Size: 2 KB, 2048 bytes 06/13/06 09:59:57:078 -- (2188) Sending email from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.??? 06/13/06 09:59:57:125 -- (1932) Time to add Msg to Bayes corpus:0 06/13/06 09:59:58:859 -- (2188) EMail from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.??? was forwarded to 000.00.00.00:25 06/13/06 10:00:01:203 -- (2300) Blacklist cache - Added 206.223.136.195 to limbo 06/13/06 10:00:01:203 -- (2300) Disconnect The message headers are: Reply-To: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com>
From: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com> To: <julian@????????????> Subject: {SPAMF} Your message to dns-admin@za.verizonbusiness.com Date: Tue, 13 Jun 2006 09:56:30 +0200 Message-ID: <200606130756.k5D7uUFK079027@mx01.uunet.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcaOvtQZhSIvggmbQ2alW7MHQ9gE+Q== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy X-SF-RX-Return-Path: <dnsar@mx01.uunet.co.za> SIZE=2594 X-SF-HELO-Domain: mx01.uunet.co.za X-SF-SPAM: Y * This is an automated response *
Thank you for contacting the Verizon Business Customer Service Centre.
This auto-response confirms that we have received your DNS query.
|
|
lyndonje
Senior Member Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
Post Options
Thanks(0)
|
The SMTP MAIL FROM and Email Header From: field's do not have to be the same and therefore can be different.
SF does the MX record check on the SMTP MAIL FROM address, which is being passed by the sending server as dnsar@mx01.uunet.co.za. SF is correctly detecting that mx01.uunet.co.za indeed has no MX records. The SMTP MAIL FROM address is normally used for bounce backs and return paths, this is more of a 'technical' address which is lost as soon as an email reached the destination mailbox, hence why SF adds the: X-SF-RX-Return-Path: <dnsar@mx01.uunet.co.za> SIZE=2594. header for debuging. The Email Header From: field is more cosmetic and is what the recipients mail client uses to display the senders information, and reply to unless a Reply-To header is specified. Although the two fields can be different, the majority of the time they are the same. From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record? Ultimately, with this setting enabled, emails from such sources will be rejected, and I don't believe there is anything you can do, other than to whitelist these addresses, convince the senders/ISP to create an MX record for the domain being used in the SMTP MAIL FROM field, disable the rule. |
|
AmirSachs
Guest Group |
Post Options
Thanks(0)
|
Thanks for clarifaying that.
> From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record?
in the process of testing we are tagging the mail, and then forwarding to the mail server, which then places it in the users spam folder. it is the users responsibility to check their spam folders for false positives.
HOWEVER - On the subject of DNS.
We have very (but i mean very) slow to respond DNS servers from our ISP. How can we cause spamfilter to cache dns entries? we recieve a lot of emails from local smtp servers, and we often see that at busy periods spamfilters is unable to resolve an ip, which it resolved a few minutes ago.
Does anybody know of a way to speed up the windows 2000 dns service perhaps?
Thanks once more for your assistance.
|
|
Marco
Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137 |
Post Options
Thanks(0)
|
try entering DNS ip's from another (faster reacting) ISP Edited by Marco |
|
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
|
AmirSachs
Guest Group |
Post Options
Thanks(0)
|
Marco - thanks for the advice. We obviously tried that, but it seems that DNS is slooowww in South Africa. Can SpamFilter cache DNS entries, in a similar way it does the blacklisted ips? would be a great feature and will reduce the load on cpu/ram as well as traffic.
|
|
Marco
Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137 |
Post Options
Thanks(0)
|
maybe setting up your own DNS server is an option?
|
|
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
|
WebGuyz
Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
|
Buy a DNS server and install it locally. We use SimpleDNS and it has the ability to cache and you can set the hours/days. I'm sure there are other 3rd party DNS servers that do caching as well. Spam filtering is VERY DNS intense and not having a fast local DNS server would be a liability. |
|
http://www.webguyz.net
|
|
Desperado
Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
|
I use the built in Windows 2000/2003 DNS server on the same machine as SpamFilter and set it as a cache only server. I then point SpamFilter to that DNS with my internal DNS servers after that. I reset the cache however every 1:00am with a scheduled task with net stop and net start DNS commands. Has always worked well for me.
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.133 seconds.