Re: [Exim] Drop connection if sender's domain doesn't match …

Top Page
Delete this message
Reply to this message
Author: Stephen Gran
Date:  
To: exim-users
Subject: Re: [Exim] Drop connection if sender's domain doesn't match MX
--
On Wed, Oct 22, 2003 at 07:22:06PM -0700, Rick Duvall said:
> Okay, maybe I need to clarify what I am trying to do:
>
> I get a bunch of spam from servers that are obviously not SMTP servers (ie,
> if I connect back to them on port 25, I get a timeout). I figure I can
> eliminate alot of my spam simply by seeing if there is an MX record for the
> sending host. On a previous email in this thread I mentioned something to
> the effect of if in the SMTP dialog the sending mail server put's in "mail
> from: <joeblow@???>", I do an MX lookup for "domain.com". I then
> check to see if the connecting host's IP address matches any of the MX
> records IP's returned by the lookup, and if it doesn't, reject the message
> because joeblow@??? either doesn't exist, or is not supposed to be
> sending email from that host.


Let's use the domain foo.com, with hosts foo, mail, web, shellserver

> So, I see 3 possible options:
>
> 1. Do a reverse lookup on the connecting IP, then lookup the MX record for
> the domain portion of the hostname returned, and see if the connecting host
> matches any of the IP's returned for any of the MX records.


foo, web and shellserver can't send any mail to your domain directly,
but would have to smarthost. Not the end of the world, but many people
don't, and just send automated output (cronjobs, etc) directly.

> 2. Look at the envelope sender, do a MX lookup on the domain portion, and
> reject if the sender's IP isn't in the list of MX records returned.


Again the same.

> 3. Look at the connecting IP address and try to connect back to it on port
> 25. If it doesn't respond or it times out, reject the message.


Again the same.

> Maybe a combination of 2 and 3. People can spoof the domain portion of
> their email address. But if we can proove that the IP they are coming from
> doesn't serve that domain, we can successfully reject it, right?


Yes. You run the risk of dropping some legitimate email when you do
this, and depending on DNS, you could drop quite a bit. For instance, I
don;t have functional reverese DNS (my ISP . . .).

steve@gashuffer:~$ host -t mx lobefin.net
lobefin.net mail is handled by 10 mail.lobefin.net.

steve@gashuffer:~$ host mail.lobefin.net
mail.lobefin.net has address 216.158.52.98

steve@gashuffer:~$ host 216.158.52.98
98.52.158.216.in-addr.arpa domain name pointer adsl-216-158-52-98.cust.oldcity.dca.net.

So if you only looked up 216.158.52.98, you wouldn't get an address that
matched 'lobefin.net'. Depending on your rules, this would bounce my
mail, even though it's a 'real' MX.

I feel your pain, though.
--
--------------------------------------------------------------------------
|  Stephen Gran                  | Q: Why did the programmer call his      |
|  steve@???             | mother long distance? A: Because that   |
|  http://www.lobefin.net/~steve | was her name.                           |

--------------------------------------------------------------------------
--
Content-Description: Digital signature

[ signature.asc of type application/pgp-signature deleted ]
--