On 04/09/2018 09:58 AM, Dianne Skoll wrote:
On Mon, 9 Apr 2018 09:56:20 -0500
David Jones <djo...@ena.com> wrote:
On 04/09/2018 09:44 AM, Reindl Harald wrote:
you simply don't want connect to every innocent MX which inbound
mail is forged because for the sake of god you are attacking the
victim of spoofed mails and you are easily part of a distributed
DOS when your few connections back are only a small part
Also, if an innocent domain's MX server just happens to be down
when you check, you could get a FP.
Checking for the existence of a sane MX record is good practice.
I'm not so sure about actually trying to connect to said MX, even if
you take basic precautions to minimize connections.
Regards,
Dianne.
https://rspamd.com/doc/modules/mx_check.html
I guess I could check the X-Spamd-Result header in SA from rspamd for
/MX_GOOD/ and let rspamd do the heavy lifting.
X-Spamd-Result: default: False [1.18 / 999.00]
TO_DN_NONE(0.00)[]
NEURAL_HAM(-0.00)[-0.792,0]
DKIM_TRACE(0.00)[email.symantec.com:+]
ASN(0.00)[asn:7160, ipnet:142.0.160.0/21, country:US]
RCVD_NO_TLS_LAST(0.00)[]
R_SPF_ALLOW(-0.20)[+ip4:142.0.160.0/20]
DMARC_POLICY_ALLOW(-0.25)[email.symantec.com,none]
MID_RHS_NOT_FQDN(0.50)[]
FROM_NEQ_ENVFROM(0.00)[co...@email.symantec.com,boun...@email.symantec.com]
ARC_NA(0.00)[]
RCVD_IN_DNSWL_NONE(0.00)[28.163.0.142.list.dnswl.org : 127.0.15.0]
RCVD_COUNT_TWO(0.00)[2]
MX_GOOD(-0.01)[cached: S912704989.m.en25.com]
HTML_SHORT_LINK_IMG_2(1.00)[]
MIME_GOOD(-0.10)[multipart/alternative,text/plain]
FROM_HAS_DN(0.00)[]
FORGED_SENDER(0.30)[]
REPLYTO_DN_EQ_FROM_DN(0.00)[]
HAS_REPLYTO(0.00)[symantec_communications-...@symantec.com]
TO_MATCH_ENVRCPT_ALL(0.00)[]
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[]
RCPT_COUNT_ONE(0.00)[1]
HAS_LIST_UNSUB(-0.01)[]
IP_SCORE(0.05)[ipnet: 142.0.160.0/21(0.08), asn: 7160(0.13),
country: US(0.02)]
MIME_BASE64_TEXT(0.10)[]
R_DKIM_ALLOW(-0.20)[email.symantec.com]
--
David Jones
