Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?

[ha...@t-online.de]

>> 
>> Ken A wrote:
>> > Don't accept mail for non-existent users. Your MTA should reject it.
>> 
>> Yeah, we should. Not quite there yet.
>> 
>> In spite of that, I thought it may be a good test to do anyway. Even if 
>> the mail is addressed to an existent user, if the MX for the sender 
>> domain is DNSed to the localhost address, there's no way (in my 
>> thinking) that it's a legitimate email, unless a clueless admin has 
>> accidentally DNSed the MX for their domain to be the localhost address.
>> 
>> A mechanism that does what I propose would probably have a pretty short 
>> useful life anyway, I suppose - the arms race would move forward, such 
>> that spammers wouldn't DNS their MXes to the localhost address when such 
>> a test was prevalent in the community.
>> 

Hi,

I found a few of these trying to send mails .... people ording stuff through the website and then
getting an order confirmation etc.
It seems that one particular dns provider's web form makes it easy to configure that
rubbish, and when I mailed the dns provider about the fact, I had the impression they
did not even understand my concerns

Cure: a) the web order form checks whether there is an MX or A anyway, so it can also
check for 127 or 192.168
b) changes to the MTA so that an unroutable return path is treated as no return path
__unless the mail came in from localnet in the first place__

I found a few more stupid admin setups as well ... like a municipal authority sending
their incoming mail back to the government mx that just scanned the mail for them  

Wolfgang Hamann