DNS validation

From ASRG
Jump to: navigation, search
Anti-spam technique: DNS validation
Date of first use:
Effectiveness: High to Low
Popularity: Medium
Difficulty of implementation: Low
Where implemented: MTA
Harm: Low to High

DNS Validation techniques attempt to verify that the SMTP client system is a legitimate mail server with proper DNS records related to it.

There are a variety of such techniques, some more effective than others, and some more harmful than others.

The techniques include:

  • Looking for an MX or A record for the HELO/EHLO name used by the SMTP client system
  • Looking for a PTR record for the IP address of the SMTP client system side of the connection
  • Looking for an MX or A record for the HELO/EHLO name used by the SMTP client system and then matching the IP addresses from the DNS lookup to that of the SMTP client side of the connection
  • Looking for a PTR record for the IP address of the SMTP client system side of the connection and then doing an A record lookup on that name to see if it matches the IP address of the SMTP client system side

There are several points to keep in mind when considering such techniques:

  • The DNS is prone to transient errors (as well as cache poisoning, which is less likely to be used here)
  • The reverse zones (where PTR records live) is generally set up with a very different delegation mechanism than the forward zones, and so PTR records for other than large organizations tend to have entirely separate administration from the forward zone; thus, PTR records are often wrong and hard to maintain
  • Legitimate mail servers may use EHLO domains whose MX records point to different servers (for example, separate inbound and outbound servers)
  • Legitimate mail servers may serve multiple domains

Therefore, techniques involving PTR records generally have lower effectiveness and higher harm. Techniques which merely look for the presence of MX or A records for the domain sent in the EHLO/HELO command generally have higher effectiveness and lower harm (since they only check that the server claims to represent a valid domain). Techniques which are multi-step, using the results of one DNS query to feed the next query, or which attempt to match the IP address of the SMTP client system, tend to have higher harm.