Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

2.2 Relaying through MX Servers

It is important to realize that mail is not sent directly to the host whose name follows the @ in the email address. Instead, that host name is first looked up using DNS to find the names of its MX (mail exchange) servers. To illustrate, consider the email address bob@example.com. Before mail is sent to example.com, that host's MX records are looked up:

example.com.   MX 10 mail.example.com.
example.com.   MX 20 bob.fallback.host.

Here, the host example.com has two MX records, each beginning with the literal MX. Each MX is then followed by a number. The lower the number, the greater the preference given to deliver to that particular record. Following each number is the name of the host to which mail should be sent. Here, mail should be sent to mail.example.com first, and if that fails, it should be sent to bob.fallback.host instead.

MX records exist as a safety net so that mail will always be delivered somewhere. The idea in our example is that mail will be held by bob.fallback.host in the event that mail.example.com is down. Later, when mail.example.com returns to service, bob.fallback.host will forward the delayed mail to it. [2]

Because normal email is delivered using the order specified by such MX records, mail from fallback hosts should be rare. But many spam sites take advantage of this behavior to avoid being rejected based on their connecting IP numbers. Their assumption is that spam email screening normally done on a main mail machine will not necessarily be done on a fallback machine, and—because most fallback services are provided by ISPs and so do not share the same policy or software of the main mail machine—this assumption is frequently correct.

Thus, many spam sites look up MX records and purposely send their spam email to the host with the highest number (lowest preference). When they do this, the main mail machine sees only the IP number of the fallback host, and the IP number of the spam sender remains hidden. [3]

If you intend to filter email based on connecting site IP numbers, you will need to arrange your MX records to specifically trap this sort of IP number subterfuge. Consider again our example of the site example.com, which has MX records that look like this:

example.com.   MX 10 mail.example.com.
example.com.   MX 20 bob.fallback.host.

If example.com is set up like that, much spam email will be sent to bob.fallback.host as spammers attempt to avoid IP-number suppression. Instead, example.com might be set up to detect spam sending IP numbers, like this:

example.com.   MX 10 mail.example.com.
example.com.   MX 20 bob.fallback.host.
example.com.   MX 30 mail.example.com.
example.com.   MX 40 mail.example.com.

Now, normal mail will be delivered just as before, and if mail.example.com is down or busy, mail will instead be delivered to bob.fallback.host, also just as before. If both are down or busy, mail will be deferred at sending sites. But now, spam sites that send to the highest MX record will instead send directly to mail.example.com, where IP detection and suppression is running. This minimizes the number of spam sites that will connect to bob.fallback.host.

Note that, to accomplish this, we use two high number records, both pointing to mail.example.com. Clearly, a savvy spammer would recognize this trick and adapt to it. A better way to organize MX records requires you to control your own domain records. Consider another way to set up the preceding records:

example.com.   MX 10 mail.example.com.
example.com.   MX 20 mx1.example.com.
example.com.   MX 30 mx2.example.com.
example.com.   MX 40 mx3.example.com.

Here, all MX hosts are under your control, so the spam sender must look up IP numbers for these records in order to figure out where each is actually pointing. In this case, the IP number for mx1.example.com would be the same as that for bob.fallback.com, and the IP numbers for mx2.example.com and mx3.example.com would both be the same as the IP number for mail.example.com.

Modern operating systems allow each network interface to be assigned multiple IP numbers. If yours is one such operating system, consider assigning a different IP number to each of mx2.example.com and mx3.example.com, where those two differ from the IP number for mail.example.com.

The more work you impose on spam-sending sites, the less effective they become and the more costly their operation will be. Because spam email is a low-margin business, even an incremental increase in their costs may drive some out of business.

  • + Share This
  • 🔖 Save To Your Account