Home / Blogs

Fight Spam With the DNS, Not the CIA

John Fitzgibbon

It seems like spam is in the news every day lately, and frankly, some of the proposed solutions seem either completely hare-brained or worse than the problem itself. I'd like to reiterate a relatively modest proposal I first made over a year ago: Require legitimate DNS MX records for all outbound email servers.

MX records are one component of a domain's Domain Name System (DNS) information. They identify IP addresses that accept inbound email for a particular domain name. To get mail to, say, linux.com, a mail server picks an MX record from linux.com's DNS information and attempts to deliver the mail to that IP address. If the delivery fails because a server is out of action, the delivering server may work through the domain's MX records until it finds a server that can accept the mail. Without at least one MX record, mail cannot be delivered to a domain.

However, when the DNS was first put in place there was no requirement to be able to trace the identity of a sending mail server. This means that, as things stand, any IP address on the Internet can act as a mail server, even though it may be virtually anonymous and extremely difficult to trace. My proposal aims to close this loophole, so that only registered mail servers can send email.

Since this proposal depends on the existing DNS structure, it could be enacted (presumably with a grace period for organizations to get their mail servers registered) without requiring any initial technological changes whatsoever.

Over time, mail servers could be configured to reject mail that comes from other mail servers that have no MX record. Furthermore, since the MX record would be tied to the legal owner of the domain in question, additional filtering could be done to reject mail from servers that are owned by known spammers. In the longer term, this would decrease the complexity and increase the accuracy of mail filtering software. It also gives spammers fewer places to hide.

Of course this solution is useful only if the contact information for the domain in question is reliable, but this is an area that has been tackled already to some degree. ICANN-accredited domain registrars are required to include a contractual provision that contact information for a registered domain must be valid and up-to-date.

A downside to requiring MX records is that a mail server with an MX record is presumed to be capable of receiving mail. This would create headaches for organizations that currently depend on a division between outbound and inbound mail servers. This "headache," however, is more palatable than the current "life-threatening illness" that spam has become. In addition, one of the root causes of much of the spam we receive is the fact that mail servers can so easily be configured to send millions of messages without any legitimate mechanism for returning those same messages to the original sending IP address.

There are a number of steps organizations could take to mitigate the initial effects of having to register outbound mail servers, if they currently don't accept inbound mail on those servers:

Give the MX record of an outbound mail server a very low priority. A sending mail server is less likely to pick a receiving mail server that has an MX record with a low priority.
Register a separate domain for "outbound-only" MX records. If inbound mail is typically addressed to "someone@someplace.com" and you have outbound servers registered under "someplace_outbound_mail.com", then your outbound servers will never be selected for normal inbound mail.
With these mitigating measures in place, it would be safe to keep outbound mail servers closed to inbound mail. Current mail server technology is reliable enough to deal with the situation where one (or more) of many listed mail servers is found to be unavailable.
In the longer term though, it would be better to discontinue the practice of separating outbound and inbound mail server IP addresses. That was a legitimate technique when there was no other practical way to handle load-balancing and security, but today multi-homing and firewalling products can handle the load and security issues without requiring a specific division of mail server IP addresses. Discontinuing this practice would leave spammers sticking out like a sore thumb.

One final attraction of mail server registration: Enforcement is simple. No army of "men in black" is needed to chase down the lawbreakers — if you choose not to register your mail servers, or repeatedly send spam from those you do, then nobody will accept your mail.

Simple as that. 

By John Fitzgibbon, Software Engineer

Related topics: DNS, Domain Names, Email, ICANN, IP Addressing, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: Fight Spam With the DNS, Not the CIA Mark Jeftovic  –  Jul 09, 2003 7:57 AM PDT

There is a recent proposal around this idea called Reverse MX or RMX. An internet draft exists at http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-02.txt
and the author maintains a site at http://www.danisch.de/work/security/antispam.html

I think its an idea whose time cannot come fast enough.

Re: Fight Spam With the DNS, Not the CIA Joe S Alagna  –  Sep 08, 2003 12:12 PM PDT

This sounds like a great idea.  I have regularly been a victim of those that use my family web site address as the return address when they send out email.

This is very aggravating.  I would definitely switch to an ISP or host that could help me to prevent this from happening by using some type of reverse MX (RMX) check to disallow someone else from using my domain. I know it is more complicated than what I just described, but I certainly would support efforts to prevent this.  I think any legitimate email user or provider should support it.

Re: Fight Spam With the DNS, Not the CIA Neil Schwartzman  –  Sep 15, 2003 6:55 AM PDT

"Require legitimate DNS MX records for all outbound email servers"
One wonders how to "require" anything on the net these days, given that even a multi-partite letter from the FTC, Industry Canada and a ton of other International signatories was sent out in the vain hopes of getting installations to close open relays they have in place. Which, as far as I can tell, has failed as badly as the multitudinous anti-relay blacklists in use today.

The fight against spam is a multi-faceted one, requiring technical, legal and educational solutions to be put in place. Placing our eggs in one basket, the technical approach has brought about a crisis after ten years of trying. Time to give the other two the credence, time and effort the first one has been given.

Not to mean that approaches be developed at the expense of the tech solutions, but alongside them. Anything else is just waiting for people on the "other side" to find yet another way to send their wares.

Re: Fight Spam With the DNS, Not the CIA Dananwi  –  Sep 22, 2003 7:35 AM PDT

Sounds good to me John! I agree that your proposal is far better than the current dilemma and certainly more feasible than a "W3 Swat Team". 

Re: Fight Spam With the DNS, Not the CIA Matthew Elvey  –  Sep 27, 2003 11:16 PM PDT

Some of the more advanced RMX-style systems should have legs.  Please acknowledge that there are some that are better than yours, and endorse the best one, so we can get to a consensus and get it broadly implemented.  The system shoudn't be mandatory; it should simply be optional.  If a domain MAY designate a list of servers can send email 'from' it, then there are three categories: black (not on the list), white (on the list) and grey (there is no list).

Re: Fight Spam With the DNS, Not the CIA Henrique Moreira  –  May 07, 2006 4:55 AM PDT

There is an excelent draft on : http://www.danisch.de/software/rmx/
(updated the link referred above)

Some big email providers like google, hotmail and yahoo have separate inbound and outbound email servers.

If you "dig wr-out-0506.google.com a", for instance (see legitimate message below), you will get an impressive list of IPs (those take care of some google outbound mail).

But without the proposed DNS RMX RR, there would be no way to find out whether wr-out-0506.google.com would be potentially legitimate or not.

+++clip+++
2006-05-03 03:22:36 1Fb70Y-0007ce-OB <= hidden_sender@gmail.com H=wr-out-0506.google.com [64.233.184.227] P=esmtp S=1736 id=44580391.13f23b13.6127.5211@mx.gmail.com
2006-05-03 03:22:36 1Fb70Y-0007ce-OB SA: Action: scanned but message isn't spam: score=-1.6 required=5.0 (scanned in 6/6 secs | Message-Id: 44580391.13f2
3b13.6127.5211@mx.gmail.com). From (host=wr-out-0506.google.com [64.233.184.227]) for legitimate_rcpt@my.test.org
+++clip+++

In short, in my opinion, I think John Fitzgibbon touched the right direction: providers that use different inbound & outbound mail servers, should register not only MX servers (for the inbound messages), but also RMX for the outbound servers.

We will have to wait meanwhile… IETF first, then IANA, to authorize such added (DNS RMX RR) schemes.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Auctions Update: MMX Wins .law and .vip

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New .ORGANIC Top-Level Domain Welcomes Leading Brands As .ORGANIC Pioneers

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Independent Endorsement of Dot Chinese Online & Dot Chinese Website by by FiarWinds Partners

New gTLDs and Best Practices for Domain Management Policies (Video)

.Host Announces Top Global Players As Pioneer Partners

Public Interest Registry Releases Bi-Annual Report, .Org Domain Registrations Pass 10.4 Million

Public Interest Registry to Speak About Upcoming Launch of .ngo and .ong Domains for NPOs

Nominum Announces Future Ready DNS

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

ICANN London Recap Webinar

Sponsored Topics