Re: Check for valid MX of sender and rspamd testing

Mon, 09 Apr 2018 08:06:07 -0700 

Well, here's the code I use in filter_sender in MD to check for a validMX.
The module needs a public release with some updates and doesn't work great
with IPv6 but the code is solid and been in use for a long time at my firm.

 #IF NOT A BOUNCE, THEN CHECK VALID MX RECORDS
  if ($sender ne '<>') {
    #CHECK IF SENDER HAS VALID MX RECORDS
    ($rv, $reason) = &check_valid_mx($sender);

    #IF WE GOT A RETURN VALUE OF 1 CHECK WHAT IT IS
    if ($rv) {
      #RESOLUTION ISSUE? LOG ERROR AND CONTINUE AS A SAFETY VALVE
      if ($reason =~ /Resolution Problem/i) {
        md_syslog('error', "ERROR: check valid MX Resolution Problem:
$sender - $reason.");
      } else {
        #OTHERWISE PASSED CHECK VALID MX
        md_syslog('info', "DEBUG: Passed check valid MX: $sender");
      }
    } else {
      #FAILED CHECK VALID MX
      md_syslog('warning', "DEBUG: Rejecting $sender - Invalid MX:
$reason.");
      return ('REJECT', "$QueueID: Sorry, mail not accepted. $sender has an
invalid MX record: $reason.");
    }
  }

For the check against port 25, Diane's caveat aside, look
at md_check_against_smtp_server which you can run in filter_recipient.  I
can share how we use a Redis backend to store the data and our routines.

The validmx check hits about 90% of the issues and the cached check really
helps us shutdown DDoS and dictionary attacks.

Regards,
KAM

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Apr 9, 2018 at 10:58 AM, Dianne Skoll <d...@roaringpenguin.com>
wrote:

> On Mon, 9 Apr 2018 09:56:20 -0500
> David Jones <djo...@ena.com> wrote:
>
> > On 04/09/2018 09:44 AM, Reindl Harald wrote:
> > > you simply don't want connect to every innocent MX which inbound
> > > mail is forged because for the sake of god you are attacking the
> > > victim of spoofed mails and you are easily part of a distributed
> > > DOS when your few connections back are only a small part
>
> Also, if an innocent domain's MX server just happens to be down
> when you check, you could get a FP.
>
> Checking for the existence of a sane MX record is good practice.
> I'm not so sure about actually trying to connect to said MX, even if
> you take basic precautions to minimize connections.
>
> Regards,
>
> Dianne.
>

Reply via email to