can you trust the MX?

[Mike Jackson <mj...@barking-dog.net>]

Before my actual question, here's a little background. Right now, I see how 
pointless SPF is; few domains publish records, even fewer MTAs running in 
the wild use SPF to accept/reject mail. When I look at the SPF scoring on my 
server (where I'm running an SPF milter for Sendmail), most of the mail with 
neutral SPF answers were sent from servers that should in no way be 
authorized to send mail for the domain. So, it got me thinking...

Shouldn't mail be sent through the MX for a domain?

Yes, I know MX records are for receiving mail, but in common practice the 
servers they represent do double duty, both receiving mail from the outside 
world and allowing users to send mail as well. Somewhere in the Received: 
headers, it seems like you would see one of the MXes as a sender on most 
legitimate messages. I'm sure someone's had this idea before (it's so 
obvious that I can't believe that they wouldn't), but there must be some 
reason it's not used as a flag for incoming spam. I've been thinking about 
investing some time into writing a SpamAssassin plugin that would check the 
Received headers for signs of an MX for the sender, but would I be wasting 
my time? 

Re: can you trust the MX?

[Kenneth Porter <sh...@sewingwitch.com>]

--On Monday, January 29, 2007 9:03 PM +0100 Magnus Holmgren 
<ho...@lysator.liu.se> wrote:

> So, it is well established that mail from a domain doesn't have to be
> sent  from the MX for the domain. But the converse should be true,
> shouldn't it?  I.e. an MX for a domain is normally a legitimate deliverer
> of mail from that  domain (if it delivers any outbound mail at all).

It will likely be a source of bounce messages but it need not send those 
messages directly. It could still send them through another server 
designated for outbound delivery.

It's probably a fair assumption that it won't be the source of unauthorized 
mail for the domain, unless it's been usurped.

Re: can you trust the MX?

[Raul Dias <ra...@dias.com.br>]

On Mon, 2007-01-29 at 21:03 +0100, Magnus Holmgren wrote:

> So, it is well established that mail from a domain doesn't have to be sent 
> from the MX for the domain. But the converse should be true, shouldn't it? 
> I.e. an MX for a domain is normally a legitimate deliverer of mail from that 
> domain (if it delivers any outbound mail at all).
> 
> Would a whitelist_from_mx option perhaps be worthwile?
> 
Being sent from the mx  is a legitimate deliverer, but I dont think that
worth being whitelisted.  On the other hand comming from the MX would
worth some bonus points.

-Raul Dias

Re: can you trust the MX?

[Magnus Holmgren <ho...@lysator.liu.se>]

On Monday 29 January 2007 15:01, Matt Kettler wrote:
> Mike Jackson wrote:
> > Shouldn't mail be sent through the MX for a domain?
>
> Not if the domain is of any decent size.. Using different servers for
> outbound vs inbound mail is a very common load balancing tactic for
> large sites.
>
> Which is why SPF was created in the first place, because you can't
> assume that mail is sent by the MX.

So, it is well established that mail from a domain doesn't have to be sent 
from the MX for the domain. But the converse should be true, shouldn't it? 
I.e. an MX for a domain is normally a legitimate deliverer of mail from that 
domain (if it delivers any outbound mail at all).

Would a whitelist_from_mx option perhaps be worthwile?

-- 
Magnus Holmgren        holmgren@lysator.liu.se
                       (No Cc of list mail needed, thanks)

  "Exim is better at being younger, whereas sendmail is better for 
   Scrabble (50 point bonus for clearing your rack)" -- Dave Evans

Re: can you trust the MX?

[Matt Kettler <mk...@verizon.net>]

Mike Jackson wrote:
> Before my actual question, here's a little background. Right now, I
> see how pointless SPF is; few domains publish records, even fewer MTAs
> running in the wild use SPF to accept/reject mail. When I look at the
> SPF scoring on my server (where I'm running an SPF milter for
> Sendmail), most of the mail with neutral SPF answers were sent from
> servers that should in no way be authorized to send mail for the
> domain. So, it got me thinking...
I wouldn't say SPF is pointless.. I would however say that many people
expect it to be more than it could ever possibly be.
>
> Shouldn't mail be sent through the MX for a domain?
Not if the domain is of any decent size.. Using different servers for
outbound vs inbound mail is a very common load balancing tactic for
large sites.

Which is why SPF was created in the first place, because you can't
assume that mail is sent by the MX.
>
> Yes, I know MX records are for receiving mail, but in common practice
> the servers they represent do double duty, both receiving mail from
> the outside world and allowing users to send mail as well. 
At tiny sites, that's true. At large ISP's it is exceptionally rare.
> Somewhere in the Received: headers, it seems like you would see one of
> the MXes as a sender on most legitimate messages. 
Really? Have you really checked that for any large domains? How about
this message? What about a message from gmail? aol? comcast?

> I'm sure someone's had this idea before (it's so obvious that I can't
> believe that they wouldn't), but there must be some reason it's not
> used as a flag for incoming spam. I've been thinking about investing
> some time into writing a SpamAssassin plugin that would check the
> Received headers for signs of an MX for the sender, but would I be
> wasting my time?
>
You'd be wasting your time. If a site's own administrator has a hard
time conclusively generating a list of all servers that originate mail
for his own domain, how do you expect to be able to do better as an
outsider?

Re: can you trust the MX?

[Benny Pedersen <me...@junc.org>]

On Mon, January 29, 2007 14:38, Mike Jackson wrote:
> Before my actual question, here's a little background. Right now, I see how
> pointless SPF is; few domains publish records, even fewer MTAs running in
> the wild use SPF to accept/reject mail. When I look at the SPF scoring on my
> server (where I'm running an SPF milter for Sendmail), most of the mail with
> neutral SPF answers were sent from servers that should in no way be
> authorized to send mail for the domain. So, it got me thinking...

spf is only as good as who is using it, SARE theam will add more
whitelist_from_spf if needed, in the end we can benefit all if
hostmasters/postmasters care more on spf, i admit, but i belive that
forwarding mails servers is to scary for them :/

> Shouldn't mail be sent through the MX for a domain?

if you setup thunderbird to deeliver mail to a smtp server that is final
destinaion then its not relaying, and should be ok

so how many scripts kiddies cant make that ?

> Yes, I know MX records are for receiving mail, but in common practice the
> servers they represent do double duty, both receiving mail from the outside
> world and allowing users to send mail as well. Somewhere in the Received:
> headers, it seems like you would see one of the MXes as a sender on most
> legitimate messages. I'm sure someone's had this idea before (it's so
> obvious that I can't believe that they wouldn't), but there must be some
> reason it's not used as a flag for incoming spam. I've been thinking about
> investing some time into writing a SpamAssassin plugin that would check the
> Received headers for signs of an MX for the sender, but would I be wasting
> my time?

dig mxhostname to get the a record
compare if that ip was the last recieved ip
if a domain have no mx record, use the a record anyway

should be it :-)

just that spf was designed to be the domain sender authed makes it a bit
better then just check mx is equal to the a record from the headers

so to you question about trustness mx should be trusted, but its not usefull
to do it

one have a patch to spf test in spammassassin ?, there could and will be false
positive, but anyway, we hate forwarding spam, no ?

and hotmail.com have 1 million ips in there spf records, who loves them ?

current rbldnsd have a cidr limit so 0.0.0.0/0 cant be valid

-- 
This message was sent using 100% recycled spam mails.