Home / Blogs

Fight Spam With the DNS, Not the CIA

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
John Fitzgibbon

It seems like spam is in the news every day lately, and frankly, some of the proposed solutions seem either completely hare-brained or worse than the problem itself. I'd like to reiterate a relatively modest proposal I first made over a year ago: Require legitimate DNS MX records for all outbound email servers.

MX records are one component of a domain's Domain Name System (DNS) information. They identify IP addresses that accept inbound email for a particular domain name. To get mail to, say, linux.com, a mail server picks an MX record from linux.com's DNS information and attempts to deliver the mail to that IP address. If the delivery fails because a server is out of action, the delivering server may work through the domain's MX records until it finds a server that can accept the mail. Without at least one MX record, mail cannot be delivered to a domain.

However, when the DNS was first put in place there was no requirement to be able to trace the identity of a sending mail server. This means that, as things stand, any IP address on the Internet can act as a mail server, even though it may be virtually anonymous and extremely difficult to trace. My proposal aims to close this loophole, so that only registered mail servers can send email.

Since this proposal depends on the existing DNS structure, it could be enacted (presumably with a grace period for organizations to get their mail servers registered) without requiring any initial technological changes whatsoever.

Over time, mail servers could be configured to reject mail that comes from other mail servers that have no MX record. Furthermore, since the MX record would be tied to the legal owner of the domain in question, additional filtering could be done to reject mail from servers that are owned by known spammers. In the longer term, this would decrease the complexity and increase the accuracy of mail filtering software. It also gives spammers fewer places to hide.

Of course this solution is useful only if the contact information for the domain in question is reliable, but this is an area that has been tackled already to some degree. ICANN-accredited domain registrars are required to include a contractual provision that contact information for a registered domain must be valid and up-to-date.

A downside to requiring MX records is that a mail server with an MX record is presumed to be capable of receiving mail. This would create headaches for organizations that currently depend on a division between outbound and inbound mail servers. This "headache," however, is more palatable than the current "life-threatening illness" that spam has become. In addition, one of the root causes of much of the spam we receive is the fact that mail servers can so easily be configured to send millions of messages without any legitimate mechanism for returning those same messages to the original sending IP address.

There are a number of steps organizations could take to mitigate the initial effects of having to register outbound mail servers, if they currently don't accept inbound mail on those servers:

Give the MX record of an outbound mail server a very low priority. A sending mail server is less likely to pick a receiving mail server that has an MX record with a low priority.
Register a separate domain for "outbound-only" MX records. If inbound mail is typically addressed to "someone@someplace.com" and you have outbound servers registered under "someplace_outbound_mail.com", then your outbound servers will never be selected for normal inbound mail.
With these mitigating measures in place, it would be safe to keep outbound mail servers closed to inbound mail. Current mail server technology is reliable enough to deal with the situation where one (or more) of many listed mail servers is found to be unavailable.
In the longer term though, it would be better to discontinue the practice of separating outbound and inbound mail server IP addresses. That was a legitimate technique when there was no other practical way to handle load-balancing and security, but today multi-homing and firewalling products can handle the load and security issues without requiring a specific division of mail server IP addresses. Discontinuing this practice would leave spammers sticking out like a sore thumb.

One final attraction of mail server registration: Enforcement is simple. No army of "men in black" is needed to chase down the lawbreakers — if you choose not to register your mail servers, or repeatedly send spam from those you do, then nobody will accept your mail.

Simple as that. 

By John Fitzgibbon, Software Engineer

Related topics: DNS, Domain Names, Email, ICANN, IP Addressing, Security, Spam



Re: Fight Spam With the DNS, Not the CIA Mark Jeftovic  –  Jul 09, 2003 7:57 AM PDT

There is a recent proposal around this idea called Reverse MX or RMX. An internet draft exists at http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-02.txt
and the author maintains a site at http://www.danisch.de/work/security/antispam.html

I think its an idea whose time cannot come fast enough.

Re: Fight Spam With the DNS, Not the CIA Joe S Alagna  –  Sep 08, 2003 12:12 PM PDT

This sounds like a great idea.  I have regularly been a victim of those that use my family web site address as the return address when they send out email.

This is very aggravating.  I would definitely switch to an ISP or host that could help me to prevent this from happening by using some type of reverse MX (RMX) check to disallow someone else from using my domain. I know it is more complicated than what I just described, but I certainly would support efforts to prevent this.  I think any legitimate email user or provider should support it.

Re: Fight Spam With the DNS, Not the CIA Neil Schwartzman  –  Sep 15, 2003 6:55 AM PDT

"Require legitimate DNS MX records for all outbound email servers"
One wonders how to "require" anything on the net these days, given that even a multi-partite letter from the FTC, Industry Canada and a ton of other International signatories was sent out in the vain hopes of getting installations to close open relays they have in place. Which, as far as I can tell, has failed as badly as the multitudinous anti-relay blacklists in use today.

The fight against spam is a multi-faceted one, requiring technical, legal and educational solutions to be put in place. Placing our eggs in one basket, the technical approach has brought about a crisis after ten years of trying. Time to give the other two the credence, time and effort the first one has been given.

Not to mean that approaches be developed at the expense of the tech solutions, but alongside them. Anything else is just waiting for people on the "other side" to find yet another way to send their wares.

Re: Fight Spam With the DNS, Not the CIA Dananwi  –  Sep 22, 2003 7:35 AM PDT

Sounds good to me John! I agree that your proposal is far better than the current dilemma and certainly more feasible than a "W3 Swat Team". 

Re: Fight Spam With the DNS, Not the CIA Matthew Elvey  –  Sep 27, 2003 11:16 PM PDT

Some of the more advanced RMX-style systems should have legs.  Please acknowledge that there are some that are better than yours, and endorse the best one, so we can get to a consensus and get it broadly implemented.  The system shoudn't be mandatory; it should simply be optional.  If a domain MAY designate a list of servers can send email 'from' it, then there are three categories: black (not on the list), white (on the list) and grey (there is no list).

Re: Fight Spam With the DNS, Not the CIA Henrique Moreira  –  May 07, 2006 4:55 AM PDT

There is an excelent draft on : http://www.danisch.de/software/rmx/
(updated the link referred above)

Some big email providers like google, hotmail and yahoo have separate inbound and outbound email servers.

If you "dig wr-out-0506.google.com a", for instance (see legitimate message below), you will get an impressive list of IPs (those take care of some google outbound mail).

But without the proposed DNS RMX RR, there would be no way to find out whether wr-out-0506.google.com would be potentially legitimate or not.

2006-05-03 03:22:36 1Fb70Y-0007ce-OB <= hidden_sender@gmail.com H=wr-out-0506.google.com [] P=esmtp S=1736 id=44580391.13f23b13.6127.5211@mx.gmail.com
2006-05-03 03:22:36 1Fb70Y-0007ce-OB SA: Action: scanned but message isn't spam: score=-1.6 required=5.0 (scanned in 6/6 secs | Message-Id: 44580391.13f2
3b13.6127.5211@mx.gmail.com). From (host=wr-out-0506.google.com []) for legitimate_rcpt@my.test.org

In short, in my opinion, I think John Fitzgibbon touched the right direction: providers that use different inbound & outbound mail servers, should register not only MX servers (for the inbound messages), but also RMX for the outbound servers.

We will have to wait meanwhile… IETF first, then IANA, to authorize such added (DNS RMX RR) schemes.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure