Rule for DNS MX Check
Matt Kettler
mkettler at evi-inc.com
Mon Nov 6 20:40:32 GMT 2006
Max Kipness wrote:
> Hello,
>
> I'm still having issues with receiving large image stock spam, which is
> not being hit by Razor, Pyzor or DCC, SARES stock, or any of the others
> except the SARES gif attach. It gets a low bayes score that brings the
> score negative at times.
>
> One thing I have noticed is that even though the sender IP does resolve,
> it's usually to a dynamically generated host by a DSL company etc. Most
> of the time the sender address does not match this IP.
>
> So after doing some research I'm wondering if there is a way either
> through Sendmail, MailScanner or SpamAssassin to either check the MX
> record of the sender header or match the From and Sender headers.
Yes, but that makes the bogus assumption the site uses the same server for
outbound as inbound mail.
An MX record is not a valid check as to what servers should be sending mail.
It''s a list of inbound servers. Most larger sites have separate servers for
outbound and inbound mail, mostly as a simple way of splitting the load.
What you really want is SPF, something SA does support. That DOES list what
severs are valid to send mail.
And more to the point, byerconsulting.com does support SPF, but unfortunately
posts their record with a ?all.
That means the owners of byerconsulting.com are not willing to declare any IP
addresses as invalid for their domain.
> Received: from myserver.com ([192.168.1.4]) by myserver.com with
> Microsoft SMTPSVC(6.0.3790.1830);
> Mon, 6 Nov 2006 08:02:29 -0600
> Received: from DESKTOP (81-179-145-240.dsl.pipex.com [81.179.145.240])
> by myserver.com with ESMTP idkA6E235h002990
> for <mkipness at myserver.com>; Mon, 6 Nov 2006 08:02:14 -0600
> Received: from 65.254.254.52 (HELO mail.byerconsulting.com)
> by myserver.com with esmtp (2ST5N97RVEZ G4NVD)
Another thing you should do, based on the above, is to declare trusted_networks
manually. Since your MX is NATed, SA will not be able to correctly detect what
hosts are a part of your network on it's own.
Finally, enable RBL checks in SpamAssassin. That message should have hit
RCVD_IN_SORBS_DUL, since 81.179.145.240 is listed, and has been since October 2004.
More information about the MailScanner
mailing list