Email Questions  
     

Left Nav Register Home Forum Email Directory Email Marketing Search Today's Posts Mark Forums Read Right Nav

Left Container Right Container
 

Go Back   Email Questions Email Forums Mail Server Support


Mail Server Support Technical discussions with systems administrators about email servers, software, and appliances.

Fake MX Records - Null MX Records

Mail Server Support


Reply
 
LinkBack Thread Tools Display Modes
Old Saturday, December 11th, 2010   #1
Postmaster
 
popowich's Avatar
 
Join Date: Aug 2008
Location: Rochester, NY
Posts: 6,723
Thanks: 834
Thanked 619 Times in 581 Posts
Default Fake MX Records - Null MX Records

A Fake MX record is an extra MX record in the DNS for your domain that is created with the intent of confusing spambots.

The terms fake mx record and null mx record seems to be interchangeable and not used consistently.

Many spambots target the lowest priority (highest number) MX record hoping to hit a backup-mx spooling mail server that has weaker anti-spam mechanisms that the primary MX records for the domain.

For example you might have the existing MX records :

@ MX 10 mail.example.com
@ MX 20 backup-mx.example.com

This is one of the several reasons why I don't like backup-mx services.

To create a Fake MX record you would add another MX record :

@ MX 10 mail.example.com
@ MX 20 backup-mx.example.com
@ MX 30 fake-mx.example.com

The fake-mx.example.com could take a couple forms including :
  • An A record pointing to an IP address that does not listen on port 25/tcp
  • A mail mail server that always defers incoming email connections with a 4xx smtp code.
I can see the logic in some mail admins wanting to create a fake mx record but I am not an advocate of this practice. Their goal is to have spambots hit the MX 30 above so that fewer resources are consumed on their incoming mail servers by spammers. If you are going to create a fake MX record I'd recommend that it point to a mail server that defers the connections so at least you'll have the mail logs when troubleshooting incoming email problems.

I have also read about mail admins that create a fake mx record as the highest priority MX record. In this case they always use a null MX record that does not answer on port 25. I feel that this is too aggressive and should never be done since it's more likely to cause problems with you receiving email email. An example of this MX record configuration is :

@ MX 05 fake-mx1.example.com
@ MX 10 mail.example.com
@ MX 20 backup-mx.example.com
@ MX 30 fake-mx2.example.com

My recommendation for your MX records would be either of the following :

@ MX 10 mail.example.com

or, if you must...

@ MX 10 mail.example.com
@ MX 20 fake-mx.example.com

Again, I don't believe there is ever a reasonable situation that would require creating MX records as both the highest and lowest priority MX records in your DNS.
__________________

Register today to ask an email question in our email forums. Do you need urgent help? We offer Live Email Support!
popowich is offline   Reply With Quote



Old Monday, February 28th, 2011   #2
prxy, Inc.
 
prxy's Avatar
 
Join Date: Feb 2011
Location: Northern California
Posts: 1
Thanks: 0
Thanked 2 Times in 1 Post
Thumbs up Re: Fake MX Records - Null MX Records

Here are two references to help differentiate between Fake MX and Null MX records.

Fake MX records normally refer to MX records that always return a temporary (4XX status code) failure, as you describe, requiring the sending server to try again later:
OtherTricks - Spamassassin Wiki

Null MX records were for domains that do not accept email at all. There was an IETF Draft for Null MX records, though the draft itself never went anywhere:
draft-delany-nullmx-00 - A NULL MX Resource Record means "I never accept email"

Unfortunately I haven't seen an official replacement to define a "no mail" domain. I've seen other variations such as "dev.null" as the MX host, but that has similar problems to "." (special case to deal with for optimal use, potential load on root DNS servers, etc).

You can use an SPF record to define that no mail is sent by a domain (e.g. a TXT record specifying "v=spf1 -all"), but that is generally checked by receivers (if it's checked at all!), not senders, so senders will still try to deliver to the MX host (or fall back to the A host).

When implementing different strategies, note that the RFC-Ignorant blacklist captures domains with bogus host names (private space, non-resolving etc) in their MX records:
Listing policy for bogusmx.rfc-ignorant.org zone
This doesn't impact the strategies described above, but I mention it just in case you're thinking of other variations

Noah
prxy, Inc.
prxy is offline   Reply With Quote
The Following 2 Users Say Thank You to prxy For This Useful Post:
Big Dan (Monday, February 28th, 2011), popowich (Monday, February 28th, 2011)
Old Monday, February 28th, 2011   #3
Postmaster
 
popowich's Avatar
 
Join Date: Aug 2008
Location: Rochester, NY
Posts: 6,723
Thanks: 834
Thanked 619 Times in 581 Posts
Default Re: Fake MX Records - Null MX Records

I've never had to the need to deploy any of the above solutions but while talking with others the terms seems to get mangled. Thanks for some clarification! No, I'm not thinking of using those or other variations msyelf. Within my largest email environment we used the F5 MSM module on our Big IP's as the first level perimeter defense. With our scoring system we were rejecting 70-80% of incoming email. There were some other RBL's, SpamAssassin, in house rules, and other stuff going on, but I never saw the need to add fake MX records and risk introducing problems into the environment. File it under not having an answer to what problem are you trying to solve?
__________________

Register today to ask an email question in our email forums. Do you need urgent help? We offer Live Email Support!
popowich is offline   Reply With Quote
Old Tuesday, March 1st, 2011   #4
Postmaster
 
popowich's Avatar
 
Join Date: Aug 2008
Location: Rochester, NY
Posts: 6,723
Thanks: 834
Thanked 619 Times in 581 Posts
Default Re: Fake MX Records - Null MX Records

I noticed the bind 9.8 announcement mentioned the "." MX records :

* Don't run MX checks (check-mx) when the MX record points to ".".
[RT #22645]
__________________

Register today to ask an email question in our email forums. Do you need urgent help? We offer Live Email Support!
popowich is offline   Reply With Quote
Reply

Tags
fake, null, records

Thread Tools
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
We encountered a problem with our database and a lot of records were lost lori Hotmail 1 Wednesday, December 2nd, 2009 10:13 PM
DNS MX Records and Reverse DNS for Mail Servers popowich Mail Server Support 0 Thursday, February 12th, 2009 11:23 AM
SPF Records popowich Email Discussions 0 Monday, December 8th, 2008 01:19 PM
How to fake Thunderbird into sending from addresses that don't exist? Big Dan Mozilla Thunderbird 7 Monday, August 18th, 2008 03:01 PM



All times are GMT -4. The time now is 10:23 AM.


vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.