#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2007
    Location
    US
    Posts
    103
    Rep Power
    54

    Other domains being directed to my server


    Around the same time as the ipv6 rollover my server's ip was added to blacklists so I can't send email to certain domains such as hotmail. Coincidentally, around the same time my server started getting hit by traffic from different domain names that don't belong to me. The domains are all owned by the same individual according to whois. I called the hosting company and they said they can't do anything about this. I emailed the admin from the whois info but no reply. Each week there are just more and more sites being directed to my server that I do not own. Sure, I can block them with htaccess but it's filling my logs up and I have to add more to the list weekly. Does anyone have an idea as to why this might be happening and if this might have to do with my recent blacklistings? I ran dns tools and found no open relays, all email logs look clean, and I am using spf records. Any advice would be appreciated.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2007
    Location
    US
    Posts
    103
    Rep Power
    54
    Just curious, can anyone make any sense of a motive behind this? Someone uses a domain name for mail only and adds a name server A record which points to a different server hosting a different domain. They have an mx record set up for a different mail server. From how I understand spf this will not allow spoofing as my server because it uses the mail server's originating ip not the domain's resolved ip. So if someone doesn't want recipients to find them they could just use a random A record but that shouldn't allow spoofing. I'm just wondering if there is a way they could have spoofed me to get me blacklisted. My spf record is:
    Code:
    v=spf1 ip4:permitted.ip.address.here ip4:permitted.ip.address.here a mx ~all
    Maybe I should use -all instead of ~all?
    I've been trying different variations and tests so I still have the tilde in place.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    Originally Posted by nightFix
    Just curious, can anyone make any sense of a motive behind this? Someone uses a domain name for mail only and adds a name server A record which points to a different server hosting a different domain. They have an mx record set up for a different mail server. From how I understand spf this will not allow spoofing as my server because it uses the mail server's originating ip not the domain's resolved ip. So if someone doesn't want recipients to find them they could just use a random A record but that shouldn't allow spoofing. I'm just wondering if there is a way they could have spoofed me to get me blacklisted. My spf record is:
    Code:
    v=spf1 ip4:permitted.ip.address.here ip4:permitted.ip.address.here a mx ~all
    Maybe I should use -all instead of ~all?
    I've been trying different variations and tests so I still have the tilde in place.
    Until DMARC was introduced, SPF records were largely ignored. This was because there was no feedback mechanism to let you know where the problems were. Our domain has not operated a mail server for over 15 years, and before that it was all directed through Postini. We were seeing a large number of attempts to connect to our domain on port 25. We had no MX record, but examining our DNS logs we saw many requests for MX records followed by requests for A records. So we added an MX record and a Pseudo SMTP server that simply rejected all mail attempts. What we found was about 9,000 - 15,000 connection attempts per day to deliver mail. Not bad for a domain that has had no valid email addresses for over 15 years. Some of those were to actual old email addresses, some were obviously made up, and some were bounce attempts. It became very obvious that our domain name was being abused by spammers.

    So we started rejecting email after MAIL FROM: instead of after RCPT TO:. That cut the attempts to less than half. Next we implemented DMARC. We always had an SPF record with -all, but it had no affect until we implemented DMARC. Now we are seeing less than 300 connection attempts per day and declining. I would recommend that you consider using DMARC. Set up properly, you will receive daily reports from the big email providers.

    J.A. Coutts
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2007
    Location
    US
    Posts
    103
    Rep Power
    54
    We are using dkim and spf. I will conduct further research into dmarc and spend some more time practicing it with testing. I did have dns logging enabled and saw several MX requests followed by A requests but seeing that smtp relies on dns I figured the surrounding A records don't indicate much. I'll have to invest a little more research and practice. Thanks a lot for the reply.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    Originally Posted by nightFix
    We are using dkim and spf. I will conduct further research into dmarc and spend some more time practicing it with testing. I did have dns logging enabled and saw several MX requests followed by A requests but seeing that smtp relies on dns I figured the surrounding A records don't indicate much. I'll have to invest a little more research and practice. Thanks a lot for the reply.
    One other thing that I might add is that you should add the SPF record as both a type 99 and TXT record. The latest survey information I could find was DNS SURVEY: OCTOBER 2010 by Geoffrey Sisson. He found that 178,785 (15.9%) of zones published SPF records, and of those 178,732 were TXT records and 4,557 were type 99. I suspect that by the time the Type 99 record was approved, faith in SPF as an anti spam tool had already slipped.

    J.A. Coutts

IMN logo majestic logo threadwatch logo seochat tools logo