Re: [anti-spam-wg] Domains with MX set to localhost

  • To: Yiorgos Adamopoulos adamo@localhost
  • From: Jan Pieter Cornet johnpc@localhost
  • Date: Tue, 10 Jan 2006 20:49:06 +0100

On Tue, Jan 10, 2006 at 03:21:27PM +0200, Yiorgos Adamopoulos wrote:
> The past few months I observe a trend to have spam directed to us where 
> the sender's domain has as MX either the localhost or 0.0.0.0.
> 
> As an example the domain yahho.gr (:-) has as MX mail.yahho.gr which 
> resolves to 127.0.0.1.
> 
> Do you block such domains?  Do you maintain a list?

We block such domains. We lookup the MX records anyway, to verify a
domain exists, so it's not much more work to also lookup the A records
of the advertised MX servers.

We block a domain if:

. the MX host is "." (following draft-delany-nullmx)
. the MX host isn't a FQDN
. the MX host has no associated A record at all
. the A record of the MX record is localhost, RFC1918, link-local, class
  D/E, or a limited set of bogons (yes, I'm watching IANA allocations)

And we do this test for all primary MX hosts, except that in some cases
we also look at lower priority MXes, in case the primary MX points to
private IP space for example (which would be bad, but it would "mostly
work").

Or in short, we block the email if it is impossible to connect back
to the domain using the advertised MX records, in case we had to
deliver a bounce.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm pmmppfmfpppppfmmmf@localhost
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet