LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Hi,
i have read the threads regarding the MX record and DNS issues, but still don't understand this. I have pasted below extract from the log and message headers. the second log extract shows exactly the same behaviour but from a different host.

The email is being sent from @za.verizonbusiness.com which has valid MX records. Why does logsat report that the email is from "EMail from dnsar@mx01.uunet.co.za" (4th line on the log), and why is it considered to be spam?

The options "reject if no reverse dns" and "reject if sender domain has invalid MX record" are selected.
Surely the "reject if sender domain has no invalid mx record" isn't true here, as is evident from a nslookup for za.verizonbusiness.com.

the most peculiar thing here is the return-path, where does this value come from, and why is spamfilter checking against this value as opposed to the sender value?

Thanks for your assistance

Amir

Here are extracts from the logfile:
06/13/06 09:57:30:375 -- (2700) Connection from: 196.31.48.143  -  Originating country : South Africa
06/13/06 09:57:30:578 -- (2700) Resolving 196.31.48.143 - mx01.uunet.co.za
06/13/06 09:57:30:640 -- (2700) - Invalid MX record - 
06/13/06 09:57:30:640 -- (2700) 196.31.48.143 - Mail from: dnsar@mx01.uunet.co.za To: julian@???????.??? will be spam-tagged
06/13/06 09:57:30:703 -- (2700) EMail from dnsar@mx01.uunet.co.za to julian@?????????.??? was queued. Size: 1 KB, 1024 bytes
06/13/06 09:57:30:703 -- (2108) Sending email from dns-admin@za.verizonbusiness.com to julian@????????.??? 
06/13/06 09:57:30:750 -- (1932) Time to add Msg to Bayes corpus:0
06/13/06 09:57:30:781 -- (2700) Blacklist cache - Added 196.31.48.143 to limbo
06/13/06 09:57:30:781 -- (2700) Disconnect
06/13/06 09:57:32:375 -- (2108) EMail from dns-admin@za.verizonbusiness.com to julian@??????????.???  was forwarded to 000.00.00.00:25

06/13/06 09:59:56:546 -- (2300) Connection from: 206.223.136.195  -  Originating country : South Africa
06/13/06 09:59:56:781 -- (2300) Resolving 206.223.136.195 - ns0.coza.net.za
06/13/06 09:59:56:828 -- (2300) - Invalid MX record - 
06/13/06 09:59:56:828 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxx@???????.??? will be spam-tagged
06/13/06 09:59:56:875 -- (2300) - Invalid MX record - 
06/13/06 09:59:56:875 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxxx@???????.??? will be spam-tagged
06/13/06 09:59:57:078 -- (2300) EMail from coza@ns0.coza.net.za to xxxxxxx@?????????.???, xxxxx@?????????.??? was queued. Size: 2 KB, 2048 bytes
06/13/06 09:59:57:078 -- (2188) Sending email from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.??? 
06/13/06 09:59:57:125 -- (1932) Time to add Msg to Bayes corpus:0
06/13/06 09:59:58:859 -- (2188) EMail from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.???  was forwarded to 000.00.00.00:25
06/13/06 10:00:01:203 -- (2300) Blacklist cache - Added 206.223.136.195 to limbo
06/13/06 10:00:01:203 -- (2300) Disconnect

The message headers are:
Reply-To: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com>
From: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com>
To: <julian@????????????>
Subject: {SPAMF} Your message to dns-admin@za.verizonbusiness.com
Date: Tue, 13 Jun 2006 09:56:30 +0200
Message-ID: <200606130756.k5D7uUFK079027@mx01.uunet.co.za>
MIME-Version: 1.0
Content-Type: text/plain;
 charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcaOvtQZhSIvggmbQ2alW7MHQ9gE+Q==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <dnsar@mx01.uunet.co.za> SIZE=2594
X-SF-HELO-Domain: mx01.uunet.co.za
X-SF-SPAM: Y

* This is an automated response *

Thank you for contacting the Verizon Business Customer Service Centre.

This auto-response confirms that we have received your DNS query. 

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
AmirSachs Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote AmirSachs Thanks(0) Quote Reply Topic: yet another MX record query Posted: 13 June 2006 at 6:46am
	Hi, i have read the threads regarding the MX record and DNS issues, but still don't understand this. I have pasted below extract from the log and message headers. the second log extract shows exactly the same behaviour but from a different host. The email is being sent from @za.verizonbusiness.com which has valid MX records. Why does logsat report that the email is from "EMail from dnsar@mx01.uunet.co.za" (4th line on the log), and why is it considered to be spam? The options "reject if no reverse dns" and "reject if sender domain has invalid MX record" are selected. Surely the "reject if sender domain has no invalid mx record" isn't true here, as is evident from a nslookup for za.verizonbusiness.com. the most peculiar thing here is the return-path, where does this value come from, and why is spamfilter checking against this value as opposed to the sender value? Thanks for your assistance Amir Here are extracts from the logfile: 06/13/06 09:57:30:375 -- (2700) Connection from: 196.31.48.143 - Originating country : South Africa 06/13/06 09:57:30:578 -- (2700) Resolving 196.31.48.143 - mx01.uunet.co.za 06/13/06 09:57:30:640 -- (2700) - Invalid MX record - 06/13/06 09:57:30:640 -- (2700) 196.31.48.143 - Mail from: dnsar@mx01.uunet.co.za To: julian@???????.??? will be spam-tagged 06/13/06 09:57:30:703 -- (2700) EMail from dnsar@mx01.uunet.co.za to julian@?????????.??? was queued. Size: 1 KB, 1024 bytes 06/13/06 09:57:30:703 -- (2108) Sending email from dns-admin@za.verizonbusiness.com to julian@????????.??? 06/13/06 09:57:30:750 -- (1932) Time to add Msg to Bayes corpus:0 06/13/06 09:57:30:781 -- (2700) Blacklist cache - Added 196.31.48.143 to limbo 06/13/06 09:57:30:781 -- (2700) Disconnect 06/13/06 09:57:32:375 -- (2108) EMail from dns-admin@za.verizonbusiness.com to julian@??????????.??? was forwarded to 000.00.00.00:25 06/13/06 09:59:56:546 -- (2300) Connection from: 206.223.136.195 - Originating country : South Africa 06/13/06 09:59:56:781 -- (2300) Resolving 206.223.136.195 - ns0.coza.net.za 06/13/06 09:59:56:828 -- (2300) - Invalid MX record - 06/13/06 09:59:56:828 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxx@???????.??? will be spam-tagged 06/13/06 09:59:56:875 -- (2300) - Invalid MX record - 06/13/06 09:59:56:875 -- (2300) 206.223.136.195 - Mail from: coza@ns0.coza.net.za To: xxxxxx@???????.??? will be spam-tagged 06/13/06 09:59:57:078 -- (2300) EMail from coza@ns0.coza.net.za to xxxxxxx@?????????.???, xxxxx@?????????.??? was queued. Size: 2 KB, 2048 bytes 06/13/06 09:59:57:078 -- (2188) Sending email from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.??? 06/13/06 09:59:57:125 -- (1932) Time to add Msg to Bayes corpus:0 06/13/06 09:59:58:859 -- (2188) EMail from ticketman@co.za to xxxxxx@????????.???, xxx@?????????.??? was forwarded to 000.00.00.00:25 06/13/06 10:00:01:203 -- (2300) Blacklist cache - Added 206.223.136.195 to limbo 06/13/06 10:00:01:203 -- (2300) Disconnect The message headers are: Reply-To: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com> From: "Verizon Business DNS Team" <dns-admin@za.verizonbusiness.com> To: <julian@????????????> Subject: {SPAMF} Your message to dns-admin@za.verizonbusiness.com Date: Tue, 13 Jun 2006 09:56:30 +0200 Message-ID: <200606130756.k5D7uUFK079027@mx01.uunet.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcaOvtQZhSIvggmbQ2alW7MHQ9gE+Q== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy X-SF-RX-Return-Path: <dnsar@mx01.uunet.co.za> SIZE=2594 X-SF-HELO-Domain: mx01.uunet.co.za X-SF-SPAM: Y * This is an automated response * Thank you for contacting the Verizon Business Customer Service Centre. This auto-response confirms that we have received your DNS query.

lyndonje Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192	Post Options Post Reply Quote lyndonje Report Post Thanks(0) Quote Reply Posted: 13 June 2006 at 8:42am
	The SMTP MAIL FROM and Email Header From: field's do not have to be the same and therefore can be different. SF does the MX record check on the SMTP MAIL FROM address, which is being passed by the sending server as dnsar@mx01.uunet.co.za. SF is correctly detecting that mx01.uunet.co.za indeed has no MX records. The SMTP MAIL FROM address is normally used for bounce backs and return paths, this is more of a 'technical' address which is lost as soon as an email reached the destination mailbox, hence why SF adds the: X-SF-RX-Return-Path: <dnsar@mx01.uunet.co.za> SIZE=2594. header for debuging. The Email Header From: field is more cosmetic and is what the recipients mail client uses to display the senders information, and reply to unless a Reply-To header is specified. Although the two fields can be different, the majority of the time they are the same. From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record? Ultimately, with this setting enabled, emails from such sources will be rejected, and I don't believe there is anything you can do, other than to whitelist these addresses, convince the senders/ISP to create an MX record for the domain being used in the SMTP MAIL FROM field, disable the rule.

AmirSachs Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote AmirSachs Thanks(0) Quote Reply Posted: 14 June 2006 at 5:50pm
	Thanks for clarifaying that. > From the log snippets however it says they emails are being forward, which should not be the case if you are choosing to reject emails with no valid MX record? in the process of testing we are tagging the mail, and then forwarding to the mail server, which then places it in the users spam folder. it is the users responsibility to check their spam folders for false positives. HOWEVER - On the subject of DNS. We have very (but i mean very) slow to respond DNS servers from our ISP. How can we cause spamfilter to cache dns entries? we recieve a lot of emails from local smtp servers, and we often see that at busy periods spamfilters is unable to resolve an ip, which it resolved a few minutes ago. Does anybody know of a way to speed up the windows 2000 dns service perhaps? Thanks once more for your assistance.

Marco Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137	Post Options Post Reply Quote Marco Report Post Thanks(0) Quote Reply Posted: 15 June 2006 at 3:47am
	try entering DNS ip's from another (faster reacting) ISP Edited by Marco
	Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

AmirSachs Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote AmirSachs Thanks(0) Quote Reply Posted: 15 June 2006 at 8:27am
	Marco - thanks for the advice. We obviously tried that, but it seems that DNS is slooowww in South Africa. Can SpamFilter cache DNS entries, in a similar way it does the blacklisted ips? would be a great feature and will reduce the load on cpu/ram as well as traffic.

Marco Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137	Post Options Post Reply Quote Marco Report Post Thanks(0) Quote Reply Posted: 15 June 2006 at 10:03am
	maybe setting up your own DNS server is an option?
	Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

WebGuyz Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348	Post Options Post Reply Quote WebGuyz Report Post Thanks(0) Quote Reply Posted: 15 June 2006 at 10:07am
	Buy a DNS server and install it locally. We use SimpleDNS and it has the ability to cache and you can set the hours/days. I'm sure there are other 3rd party DNS servers that do caching as well. Spam filtering is VERY DNS intense and not having a fast local DNS server would be a liability.
	http://www.webguyz.net

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 15 June 2006 at 5:34pm
	I use the built in Windows 2000/2003 DNS server on the same machine as SpamFilter and set it as a cache only server. I then point SpamFilter to that DNS with my internal DNS servers after that. I reset the cache however every 1:00am with a scheduled task with net stop and net start DNS commands. Has always worked well for me.
	The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

yet another MX record query