Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - invalid MX record anomoly
  FAQ FAQ  Forum Search   Register Register  Login Login

invalid MX record anomoly
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Fred Dickey View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Fred Dickey Quote  Post ReplyReply Direct Link To This Post Topic: invalid MX record anomoly
    Posted: 25 April 2005 at 4:17pm
I had a user forward an email to me today and was curious as to why it was flagged as spam.  It was sent from their personal account to themselves and serveral of their colleagues at their workplace which is the domain we host.

Their personal email address is listed in our exclude from white list and all other emails that they sent bypassed all rules according to the logs, however this one didn't:

04/24/05 12:40:56:040 -- (4092) Connection from: 204.127.202.56  -  Originating country : United States
04/24/05 12:40:56:370 -- (4092) Resolving 204.127.202.56 - sccrmhc12.comcast.net
04/24/05 12:40:56:681 -- (4092) Mail from: danielschwartz@comcast.net
04/24/05 12:40:58:193 -- (4092) - MAPS search done...
04/24/05 12:40:58:193 -- (4092) RCPT TO: dhaslam@rivr.com accepted
04/24/05 12:40:58:243 -- (4092) Bypassed all rules for: dschwartz@rivr.com from danielschwartz@comcast.net
04/24/05 12:40:58:343 -- (4092) - Invalid MX record -
04/24/05 12:40:58:343 -- (4092) 204.127.202.56 - Mail from: danielschwartz@comcast.net To: rlundgren@rivr.com will be spam-tagged
04/24/05 12:40:58:513 -- (4092) EMail from danielschwartz@comcast.net to dhaslam@rivr.com, dschwartz@rivr.com, rlundgren@rivr.com was queued. Size: 24 KB, 24576 bytes

I'm assuming this may be because the invalid mx record may override any whitelisting....is that correct?

I did some testing on dnsstuff.com to see if comcast may be having some issues with their dns records, because it's hard to believe they would have an invalid mx record...that's sort of like AOL coming back with an invalid mx record.  Upon investigating, I discovered that dns01.jdc01.pa.comcast.net. [68.87.96.3] intermittently times out up to three times during the query before finally reporting back with forwarding the query to gateway-r.comcast.net.

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 25 April 2005 at 10:50pm
Fred,

What build of SpamFilter are you using? Usually if a sender is whitelisted, they should not be "spam-tagged". Have you tried using the latest 2.5 version to see if it solves the problem?
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Fred Dickey View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Fred Dickey Quote  Post ReplyReply Direct Link To This Post Posted: 25 April 2005 at 11:20pm
Originally posted by LogSat LogSat wrote:

Fred,

What build of SpamFilter are you using? Usually if a sender is whitelisted, they should not be "spam-tagged". Have you tried using the latest 2.5 version to see if it solves the problem?



Yes, I'm using 2.5.1.441
Back to Top
Dan B View Drop Down
Senior Member
Senior Member
Avatar

Joined: 09 February 2005
Location: United States
Status: Offline
Points: 105 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Dan B Quote  Post ReplyReply Direct Link To This Post Posted: 26 April 2005 at 3:24pm

R,

I'm also seeing this happen when we have entries in the domains & email from in the whitelist.

Here is an example.

04/26/05 05:36:30:452 -- (1052) Connection from: 66.94.237.43  -  Originating country : United States
04/26/05 05:36:30:963 -- (1052) Resolving 66.94.237.43 - n9a.bulk.scd.yahoo.com
04/26/05 05:36:31:153 -- (1052) Mail from: sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com
04/26/05 05:36:31:233 -- (1052) - MAPS search done... 521 -1 The IP 66.94.237.43 is Blacklisted by bl.spamcop.net. Blocked - see http://www.spamcop.net/bl.shtml?66.94.237.43
04/26/05 05:36:31:263 -- (1052) 66.94.237.43 - Mail from: sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com To: username@mydomain.com will be rejected
04/26/05 05:36:32:365 -- (1052) EMail from sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com to username@mydomain.com was received and quarantined. Size: 9 KB, 9216 bytes
04/26/05 05:36:32:365 -- (1052) Disconnect


Here is what I have listed in my entry in email from whitelist.
((?i)((\w)+@returns\.groups\.yahoo\.com))

When I test it in the RegEx Test it works correctly with a "Found"
Registerd Ver 2.5.1.441


Thanks,
Dan B
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 26 April 2005 at 7:26pm

Dan,

What is that space in the returns .groups.yahoo.com ?

Is that just a typo or is it real?

Regards,



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 April 2005 at 10:34pm
Originally posted by Fred Dickey Fred Dickey wrote:



04/24/05 12:40:58:193 -- (4092) RCPT TO: dhaslam@rivr.com accepted

04/24/05 12:40:58:243 -- (4092) Bypassed all rules for: dschwartz@rivr.com from danielschwartz@comcast.net

04/24/05 12:40:58:343 -- (4092) 204.127.202.56 - Mail from: danielschwartz@comcast.net To: rlundgren@rivr.com will be spam-tagged

04/24/05 12:40:58:513 -- (4092) EMail from danielschwartz@comcast.net to dhaslam@rivr.com, dschwartz@rivr.com, rlundgren@rivr.com was queued. Size: 24 KB, 24576 bytes



Fred,

This email was unusual in that it had three recipients, one of which was whitelisted, and it had, as you noticed, a failure of the MX record when performing a check for one of the recipients. The failure is also unusual, as DNS timeouts are not treated as errors, while in this instance the DNS server returned "something" that caused the MX record to mismatch. Without further information unfortunately it is goint to be hard to troubleshoot the situation.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 April 2005 at 10:37pm
Originally posted by Dan B Dan B wrote:

04/26/05 05:36:31:153 -- (1052) Mail from: sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com



Dan B,

As Dan S. correctly pointed out, there appears to be a (invalid) space in the email address after returns. Furthermore, there's two @ signs in there... Don't know if these are all typos or not, but if they are not, they would indeed cause the whitelisted entry to fail.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Dan B View Drop Down
Senior Member
Senior Member
Avatar

Joined: 09 February 2005
Location: United States
Status: Offline
Points: 105 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Dan B Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2005 at 11:51am

Sorry about the above...   Here is the correct email from address:
sentto-342201-58373-1114508181-username=mydomainname.com@ret urns.groups.yahoo.com  I was removing the valid email address and I must of hit the space bar. But anyhow, it is still blocking them due to the ip address is being blacklisted.

And the RegEx is correct in the email from whitelist:
((?i)((\w)+@returns\.groups\.yahoo\.com))

And here is an example that is being caught from the domain whitelist.

We have Ebay customers geting SPF rejects when people email inquiring info about item using Ebay's web forms.
So I have this regex to whitelisted Ebay's mailserver's qualified domains:  (((\w+.)|(\w+\.)+)ebay.com)  This too also works in the RegEx Testing.   Here are the logs for the above.


04/26/05 14:47:51:520 -- (1264) Connection from: 66.135.197.28  -  Originating country : United States
04/26/05 14:47:51:851 -- (1264) Resolving 66.135.197.28 - mxpool22.ebay.com
04/26/05 14:47:51:931 -- (1264) failed SPF test (softfail) - Disconnecting 66.135.197.28
04/26/05 14:47:51:931 -- (1264) 66.135.197.28 - Mail from: email@otherdomain.com To: email@mydomain.com will be rejected
04/26/05 14:47:52:572 -- (1264) EMail from email@otherdomain.com to email@mydomain.com was received and quarantined. Size: 14 KB, 14336 bytes
04/26/05 14:47:52:572 -- (1264) Disconnect

Thanks,

Dan B
Back to Top
Dan B View Drop Down
Senior Member
Senior Member
Avatar

Joined: 09 February 2005
Location: United States
Status: Offline
Points: 105 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Dan B Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2005 at 12:35pm

Update from above..

I looked at todays logs and I'm now seeing the bypass going into effect.  Even tho they were added Monday morning and both were in the SF dialog boxes.  It took 48 hours to start working..  Something is very strange is going on.

Thanks

Dan B
Back to Top
Dan B View Drop Down
Senior Member
Senior Member
Avatar

Joined: 09 February 2005
Location: United States
Status: Offline
Points: 105 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Dan B Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2005 at 3:23pm

I do have another issue with this topic of thread.

I'm seeing the rejection of Invalid MX DNS record for the following domain

tchesc.org  when in fact they do have a valid mx record.  Here is a nslookup on the domain

Non-authoritative answer:
tchesc.org      MX preference = 10, mail exchanger = tchesc.org
tchesc.org      internet address = 66.144.201.129

Here is the logs for this issue.
04/25/05 15:03:27:062 -- (780) Connection from: 66.144.201.129  -  Originating country : United States
04/25/05 15:03:27:593 -- (780) Resolving 66.144.201.129 - tchesc.k12.oh.us
04/25/05 15:03:29:140 -- (780) - Invalid MX record -
04/25/05 15:03:29:140 -- (780) 66.144.201.129 - Mail from: emailaddress@tchesc.org To: email@mydomain.com will be rejected
04/25/05 15:03:29:390 -- (780) EMail from emailaddress@tchesc.org to email@mydomain.com was received and quarantined. Size: 1 KB, 1024 bytes
04/25/05 15:03:29:390 -- (780) Disconnect

Is this the way it's suppose to work?  I was thinking it was looking at the from email address and seeing if there was a valid MX record for that domain or is it a bug?

Thanks,
Dan B
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 27 April 2005 at 4:30pm
Dan,

The tchesc.org domain looks good to us as well as far as the MX is concerned, and right now do not see a reason for it to fail the test as it did before (unless the MX record was invalid on the 25th and has been fixed since).

We're preparing a new private build that hopefully should provide more details on what is wrong with the MX record when the test fails, we'll be making it available to you within 6/24 hours if you wish, after it passes some additional QA testing.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 30 April 2005 at 5:43pm
Build 2.5.1.448 is available in the registered user area. It displays the additional logging mentioned above.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.188 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us