Spam Filter ISP Support - yet another MX record query

yet another MX record query

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5663
Printed Date: 26 December 2024 at 5:17am

Topic: yet another MX record query

Posted By: Guests
Subject: yet another MX record query
Date Posted: 13 June 2006 at 6:46am

Hi,

i have read the threads regarding the MX record and DNS issues, but still don't understand this. I have pasted below extract from the log and message headers. the second log extract shows exactly the same behaviour but from a different host.

The email is being sent from @za.verizonbusiness.com which has valid MX records. Why does logsat report that the email is from "EMail from mailto:dnsar@mx01.uunet.co.za - dnsar@mx01.uunet.co.za " (4th line on the log), and why is it considered to be spam?

The options "reject if no reverse dns" and "reject if sender domain has invalid MX record" are selected.

Surely the "reject if sender domain has no invalid mx record" isn't true here, as is evident from a nslookup for za.verizonbusiness.com.

the most peculiar thing here is the return-path, where does this value come from, and why is spamfilter checking against this value as opposed to the sender value?

Thanks for your assistance

Amir

Here are extracts from the logfile:

06/13/06 09:57:30:375 -- (2700) Connection from: 196.31.48.143 - Originating country : South Africa
06/13/06 09:57:30:578 -- (2700) Resolving 196.31.48.143 - mx01.uunet.co.za
06/13/06 09:57:30:640 -- (2700) - Invalid MX record -
06/13/06 09:57:30:640 -- (2700) 196.31.48.143 - Mail from: mailto:dnsar@mx01.uunet.co.za - dnsar@mx01.uunet.co.za To: julian@???????.??? will be spam-tagged
06/13/06 09:57:30:703 -- (2700) EMail from mailto:dnsar@mx01.uunet.co.za - dnsar@mx01.uunet.co.za to julian@?????????.??? was queued. Size: 1 KB, 1024 bytes
06/13/06 09:57:30:703 -- (2108) Sending email from mailto:dns-admin@za.verizonbusiness.com - dns-admin@za.verizonbusiness.com to julian@????????.???
06/13/06 09:57:30:750 -- (1932) Time to add Msg to Bayes corpus:0
06/13/06 09:57:30:781 -- (2700) Blacklist cache - Added 196.31.48.143 to limbo
06/13/06 09:57:30:781 -- (2700) Disconnect
06/13/06 09:57:32:375 -- (2108) EMail from mailto:dns-admin@za.verizonbusiness.com - dns-admin@za.verizonbusiness.com to julian@??????????.??? was forwarded to 000.00.00.00:25

06/13/06 09:59:56:546 -- (2300) Connection from: 206.223.136.195 - Originating country : South Africa
06/13/06 09:59:56:781 -- (2300) Resolving 206.223.136.195 - ns0.coza.net.za
06/13/06 09:59:56:828 -- (2300) - Invalid MX record -
06/13/06 09:59:56:828 -- (2300) 206.223.136.195 - Mail from: mailto:coza@ns0.coza.net.za - coza@ns0.coza.net.za To: xxxxx@???????.??? will be spam-tagged
06/13/06 09:59:56:875 -- (2300) - Invalid MX record -
06/13/06 09:59:56:875 -- (2300) 206.223.136.195 - Mail from: mailto:coza@ns0.coza.net.za - coza@ns0.coza.net.za To: xxxxxx@???????.??? will be spam-tagged
06/13/06 09:59:57:078 -- (2300) EMail from mailto:coza@ns0.coza.net.za - coza@ns0.coza.net.za to xxxxxxx@?????????.???, xxxxx@?????????.??? was queued. Size: 2 KB, 2048 bytes
06/13/06 09:59:57:078 -- (2188) Sending email from mailto:ticketman@co.za - ticketman@co.za to xxxxxx@????????.???, xxx@?????????.???
06/13/06 09:59:57:125 -- (1932) Time to add Msg to Bayes corpus:0
06/13/06 09:59:58:859 -- (2188) EMail from mailto:ticketman@co.za - ticketman@co.za to xxxxxx@????????.???, xxx@?????????.??? was forwarded to 000.00.00.00:25
06/13/06 10:00:01:203 -- (2300) Blacklist cache - Added 206.223.136.195 to limbo
06/13/06 10:00:01:203 -- (2300) Disconnect

The message headers are:

Reply-To: "Verizon Business DNS Team" < mailto:dns-admin@za.verizonbusiness.com - dns-admin@za.verizonbusiness.com >
From: "Verizon Business DNS Team" < mailto:dns-admin@za.verizonbusiness.com - dns-admin@za.verizonbusiness.com >
To: <julian@????????????>
Subject: {SPAMF} Your message to mailto:dns-admin@za.verizonbusiness.com - dns-admin@za.verizonbusiness.com
Date: Tue, 13 Jun 2006 09:56:30 +0200
Message-ID: < mailto:200606130756.k5D7uUFK079027@mx01.uunet.co.za - 200606130756.k5D7uUFK079027@mx01.uunet.co.za >
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcaOvtQZhSIvggmbQ2alW7MHQ9gE+Q==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: < mailto:dnsar@mx01.uunet.co.za - dnsar@mx01.uunet.co.za > SIZE=2594
X-SF-HELO-Domain: mx01.uunet.co.za
X-SF-SPAM: Y

* This is an automated response *

Thank you for contacting the Verizon Business Customer Service Centre.

This auto-response confirms that we have received your DNS query.

Replies:

Posted By: lyndonje
Date Posted: 13 June 2006 at 8:42am

The SMTP MAIL FROM and Email Header From: field's do not have to be the same and therefore can be different.

SF does the MX record check on the SMTP MAIL FROM address, which is being passed by the sending server as mailto:dnsar@mx01.uunet.co.za - dnsar@mx01.uunet.co.za. SF is correctly detecting that mx01.uunet.co.za indeed has no MX records.

The SMTP MAIL FROM address is normally used for bounce backs and return paths, this is more of a 'technical' address which is lost as soon as an email reached the destination mailbox, hence why SF adds the:

X-SF-RX-Return-Path: < mailto:dnsar@mx01.uunet.co.za - dnsar@mx01.uunet.co.za > SIZE=2594.

header for debuging.

The Email Header From: field is more cosmetic and is what the recipients mail client uses to display the senders information, and reply to unless a Reply-To header is specified.

Although the two fields can be different, the majority of the time they are the same.

From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record?

Ultimately, with this setting enabled, emails from such sources will be rejected, and I don't believe there is anything you can do, other than to whitelist these addresses, convince the senders/ISP to create an MX record for the domain being used in the SMTP MAIL FROM field, disable the rule.

Posted By: Guests
Date Posted: 14 June 2006 at 5:50pm

Thanks for clarifaying that.

> From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record?

in the process of testing we are tagging the mail, and then forwarding to the mail server, which then places it in the users spam folder. it is the users responsibility to check their spam folders for false positives.

HOWEVER - On the subject of DNS.

We have very (but i mean very) slow to respond DNS servers from our ISP. How can we cause spamfilter to cache dns entries? we recieve a lot of emails from local smtp servers, and we often see that at busy periods spamfilters is unable to resolve an ip, which it resolved a few minutes ago.

Does anybody know of a way to speed up the windows 2000 dns service perhaps?

Thanks once more for your assistance.

Posted By: Marco
Date Posted: 15 June 2006 at 3:47am

try entering DNS ip's from another (faster reacting) ISP

-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

Posted By: Guests
Date Posted: 15 June 2006 at 8:27am

Marco - thanks for the advice.

We obviously tried that, but it seems that DNS is slooowww in South Africa.

Can SpamFilter cache DNS entries, in a similar way it does the blacklisted ips? would be a great feature and will reduce the load on cpu/ram as well as traffic.

Posted By: Marco
Date Posted: 15 June 2006 at 10:03am

maybe setting up your own DNS server is an option?

-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

Posted By: WebGuyz
Date Posted: 15 June 2006 at 10:07am

Buy a DNS server and install it locally. We use SimpleDNS and it has the ability to cache and you can set the hours/days. I'm sure there are other 3rd party DNS servers that do caching as well.

Spam filtering is VERY DNS intense and not having a fast local DNS server would be a liability.

-------------
http://www.webguyz.net

Posted By: Desperado
Date Posted: 15 June 2006 at 5:34pm

I use the built in Windows 2000/2003 DNS server on the same machine as SpamFilter and set it as a cache only server. I then point SpamFilter to that DNS with my internal DNS servers after that. I reset the cache however every 1:00am with a scheduled task with net stop and net start DNS commands. Has always worked well for me.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com