Print Page | Close Window

invalid MX record anomoly

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5139
Printed Date: 13 March 2025 at 5:34pm


Topic: invalid MX record anomoly
Posted By: Guests
Subject: invalid MX record anomoly
Date Posted: 25 April 2005 at 4:17pm
I had a user forward an email to me today and was curious as to why it was flagged as spam.  It was sent from their personal account to themselves and serveral of their colleagues at their workplace which is the domain we host.

Their personal email address is listed in our exclude from white list and all other emails that they sent bypassed all rules according to the logs, however this one didn't:

04/24/05 12:40:56:040 -- (4092) Connection from: 204.127.202.56  -  Originating country : United States
04/24/05 12:40:56:370 -- (4092) Resolving 204.127.202.56 - sccrmhc12.comcast.net
04/24/05 12:40:56:681 -- (4092) Mail from: danielschwartz@comcast.net
04/24/05 12:40:58:193 -- (4092) - MAPS search done...
04/24/05 12:40:58:193 -- (4092) RCPT TO: dhaslam@rivr.com accepted
04/24/05 12:40:58:243 -- (4092) Bypassed all rules for: dschwartz@rivr.com from danielschwartz@comcast.net
04/24/05 12:40:58:343 -- (4092) - Invalid MX record -
04/24/05 12:40:58:343 -- (4092) 204.127.202.56 - Mail from: danielschwartz@comcast.net To: rlundgren@rivr.com will be spam-tagged
04/24/05 12:40:58:513 -- (4092) EMail from danielschwartz@comcast.net to dhaslam@rivr.com, dschwartz@rivr.com, rlundgren@rivr.com was queued. Size: 24 KB, 24576 bytes

I'm assuming this may be because the invalid mx record may override any whitelisting....is that correct?

I did some testing on dnsstuff.com to see if comcast may be having some issues with their dns records, because it's hard to believe they would have an invalid mx record...that's sort of like AOL coming back with an invalid mx record.  Upon investigating, I discovered that dns01.jdc01.pa.comcast.net. [68.87.96.3] intermittently times out up to three times during the query before finally reporting back with forwarding the query to gateway-r.comcast.net.



Replies:
Posted By: LogSat
Date Posted: 25 April 2005 at 10:50pm
Fred,

What build of SpamFilter are you using? Usually if a sender is whitelisted, they should not be "spam-tagged". Have you tried using the latest 2.5 version to see if it solves the problem?



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Guests
Date Posted: 25 April 2005 at 11:20pm
Originally posted by LogSat LogSat wrote:

Fred,

What build of SpamFilter are you using? Usually if a sender is whitelisted, they should not be "spam-tagged". Have you tried using the latest 2.5 version to see if it solves the problem?



Yes, I'm using 2.5.1.441

Posted By: Dan B
Date Posted: 26 April 2005 at 3:24pm

R,

I'm also seeing this happen when we have entries in the domains & email from in the whitelist.

Here is an example.

04/26/05 05:36:30:452 -- (1052) Connection from: 66.94.237.43  -  Originating country : United States
04/26/05 05:36:30:963 -- (1052) Resolving 66.94.237.43 - n9a.bulk.scd.yahoo.com
04/26/05 05:36:31:153 -- (1052) Mail from: mailto:sentto-342201-58373-1114508181-username@mydomain.com@returns.groups.yahoo.com - sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com
04/26/05 05:36:31:233 -- (1052) - MAPS search done... 521 -1 The IP 66.94.237.43 is Blacklisted by bl.spamcop.net. Blocked - see http://www.spamcop.net/bl.shtml?66.94.237.43 - http://www.spamcop.net/bl.shtml?66.94.237.43
04/26/05 05:36:31:263 -- (1052) 66.94.237.43 - Mail from: mailto:sentto-342201-58373-1114508181-username@mydomain.com@returns.groups.yahoo.com - sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com To: mailto:wcwriverridge@tusco.net - username@mydomain.com will be rejected
04/26/05 05:36:32:365 -- (1052) EMail from mailto:sentto-342201-58373-1114508181-username@mydomain.com@returns.groups.yahoo.com - sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com to mailto:wcwriverridge@tusco.net - username@mydomain.com was received and quarantined. Size: 9 KB, 9216 bytes
04/26/05 05:36:32:365 -- (1052) Disconnect


Here is what I have listed in my entry in email from whitelist.
((?i)((\w)+@returns\.groups\.yahoo\.com))

When I test it in the RegEx Test it works correctly with a "Found"
Registerd Ver 2.5.1.441


Thanks,
Dan B

Posted By: Desperado
Date Posted: 26 April 2005 at 7:26pm

Dan,

What is that space in the returns .groups.yahoo.com ?

Is that just a typo or is it real?

Regards,



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: LogSat
Date Posted: 26 April 2005 at 10:34pm
Originally posted by Fred Dickey Fred Dickey wrote:



04/24/05 12:40:58:193 -- (4092) RCPT TO: dhaslam@rivr.com accepted

04/24/05 12:40:58:243 -- (4092) Bypassed all rules for: dschwartz@rivr.com from danielschwartz@comcast.net

04/24/05 12:40:58:343 -- (4092) 204.127.202.56 - Mail from: danielschwartz@comcast.net To: rlundgren@rivr.com will be spam-tagged

04/24/05 12:40:58:513 -- (4092) EMail from danielschwartz@comcast.net to dhaslam@rivr.com, dschwartz@rivr.com, rlundgren@rivr.com was queued. Size: 24 KB, 24576 bytes



Fred,

This email was unusual in that it had three recipients, one of which was whitelisted, and it had, as you noticed, a failure of the MX record when performing a check for one of the recipients. The failure is also unusual, as DNS timeouts are not treated as errors, while in this instance the DNS server returned "something" that caused the MX record to mismatch. Without further information unfortunately it is goint to be hard to troubleshoot the situation.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: LogSat
Date Posted: 26 April 2005 at 10:37pm
Originally posted by Dan B Dan B wrote:

04/26/05 05:36:31:153 -- (1052) Mail from: mailto:sentto-342201-58373-1114508181-username@mydomain.com@returns.groups.yahoo.com - sentto-342201-58373-1114508181-username@mydomain.com@returns .groups.yahoo.com



Dan B,

As Dan S. correctly pointed out, there appears to be a (invalid) space in the email address after returns. Furthermore, there's two @ signs in there... Don't know if these are all typos or not, but if they are not, they would indeed cause the whitelisted entry to fail.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Dan B
Date Posted: 27 April 2005 at 11:51am

Sorry about the above...   Here is the correct email from address:
mailto:sentto-342201-58373-1114508181-username=mydomainname.com@returns.groups.yahoo.com - sentto-342201-58373-1114508181-username=mydomainname.com@ret urns.groups.yahoo.com   I was removing the valid email address and I must of hit the space bar. But anyhow, it is still blocking them due to the ip address is being blacklisted.

And the RegEx is correct in the email from whitelist:
((?i)((\w)+@returns\.groups\.yahoo\.com))

And here is an example that is being caught from the domain whitelist.

We have Ebay customers geting SPF rejects when people email inquiring info about item using Ebay's web forms.
So I have this regex to whitelisted Ebay's mailserver's qualified domains:  (((\w+.)|(\w+\.)+)ebay.com)  This too also works in the RegEx Testing.   Here are the logs for the above.


04/26/05 14:47:51:520 -- (1264) Connection from: 66.135.197.28  -  Originating country : United States
04/26/05 14:47:51:851 -- (1264) Resolving 66.135.197.28 - mxpool22.ebay.com
04/26/05 14:47:51:931 -- (1264) failed SPF test (softfail) - Disconnecting 66.135.197.28
04/26/05 14:47:51:931 -- (1264) 66.135.197.28 - Mail from: mailto:email@otherdomain.com - email@otherdomain.com To:  mailto:email@mydomain.com - email@mydomain.com will be rejected
04/26/05 14:47:52:572 -- (1264) EMail from  mailto:email@otherdomain.com - email@otherdomain.com to  mailto:email@mydomain.com - email@mydomain.com was received and quarantined. Size: 14 KB, 14336 bytes
04/26/05 14:47:52:572 -- (1264) Disconnect

Thanks,

Dan B

Posted By: Dan B
Date Posted: 27 April 2005 at 12:35pm

Update from above..

I looked at todays logs and I'm now seeing the bypass going into effect.  Even tho they were added Monday morning and both were in the SF dialog boxes.  It took 48 hours to start working..  Something is very strange is going on.

Thanks

Dan B

Posted By: Dan B
Date Posted: 27 April 2005 at 3:23pm

I do have another issue with this topic of thread.

I'm seeing the rejection of Invalid MX DNS record for the following domain

tchesc.org  when in fact they do have a valid mx record.  Here is a nslookup on the domain

Non-authoritative answer:
tchesc.org      MX preference = 10, mail exchanger = tchesc.org
tchesc.org      internet address = 66.144.201.129

Here is the logs for this issue.
04/25/05 15:03:27:062 -- (780) Connection from: 66.144.201.129  -  Originating country : United States
04/25/05 15:03:27:593 -- (780) Resolving 66.144.201.129 - tchesc.k12.oh.us
04/25/05 15:03:29:140 -- (780) - Invalid MX record -
04/25/05 15:03:29:140 -- (780) 66.144.201.129 - Mail from: mailto:emailaddress@tchesc.org - emailaddress@tchesc.org To:  mailto:email@mydomain.com - email@mydomain.com will be rejected
04/25/05 15:03:29:390 -- (780) EMail from mailto:emailaddress@tchesc.org - emailaddress@tchesc.org to mailto:email@mydomain.com - email@mydomain.com was received and quarantined. Size: 1 KB, 1024 bytes
04/25/05 15:03:29:390 -- (780) Disconnect

Is this the way it's suppose to work?  I was thinking it was looking at the from email address and seeing if there was a valid MX record for that domain or is it a bug?

Thanks,
Dan B

Posted By: LogSat
Date Posted: 27 April 2005 at 4:30pm
Dan,

The mailto:emailaddress@tchesc.org - tchesc.org domain looks good to us as well as far as the MX is concerned, and right now do not see a reason for it to fail the test as it did before (unless the MX record was invalid on the 25th and has been fixed since).

We're preparing a new private build that hopefully should provide more details on what is wrong with the MX record when the test fails, we'll be making it available to you within 6/24 hours if you wish, after it passes some additional QA testing.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: LogSat
Date Posted: 30 April 2005 at 5:43pm
Build 2.5.1.448 is available in the registered user area. It displays the additional logging mentioned above.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Print Page | Close Window