Bug: Messages with No PTR (Reverse DNS) are accepted
Problem reported by kevind - February 4, 2016 at 12:47 PM
Being Fixed
We have SM configured to block at SMTP for no Reverse DNS. However, every so often we see a message get thru with no PTR record. Here's the message header:
Return-Path: <>
Received: from 118.137.150.59 (UnknownHost [36.70.247.62]) by mail.example.com with SMTP;
   Thu, 4 Feb 2016 08:54:25 -0500
Received: from unknown (HELO localhost) (andreamontalto@skyservice.com.ua@51.159.43.216)
	by 39.255.39.163 with ESMTPA; Thu, 4 Feb 2016 20:55:42 +0700
X-Originating-IP: 51.159.43.216
Here's the SMTP log:
 
[2016.02.04] 08:54:03 [36.70.247.62][29751841] rsp: 220 mail.example.com
[2016.02.04] 08:54:03 [36.70.247.62][29751841] connected at 2/4/2016 8:54:03 AM
[2016.02.04] 08:54:04 [36.70.247.62][29751841] cmd: HELO 118.137.150.59
[2016.02.04] 08:54:04 [36.70.247.62][29751841] rsp: 250 mail.example.com Hello [36.70.247.62]
[2016.02.04] 08:54:04 [36.70.247.62][29751841] cmd: MAIL FROM:<>
[2016.02.04] 08:54:15 [36.70.247.62][29751841] rsp: 250 OK <> Sender ok
[2016.02.04] 08:54:15 [36.70.247.62][29751841] cmd: RCPT TO:<kevind@example.com>
[2016.02.04] 08:54:15 [36.70.247.62][29751841] rsp: 250 OK <kevind@example.com> Recipient ok
[2016.02.04] 08:54:16 [36.70.247.62][29751841] cmd: DATA
[2016.02.04] 08:54:25 [36.70.247.62][29751841] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2016.02.04] 08:54:25 [36.70.247.62][29751841] rsp: 250 OK
[2016.02.04] 08:54:25 [36.70.247.62][29751841] Data transfer succeeded, writing mail to 76807827.eml

 
Now the message goes to Spam folder because of other reasons (RBL, Bayes, Commtouch) but ReverseDNS is not in the X-SmarterMail-Spam: line.
 
Thanks,
Kevin
 

36 Replies

Reply to Thread
0
Bruce Barnes Replied
This is very dependent on the configuration of your SmarterMail server.
 
A couple of questions for you:
 
What version of SmarterMail?
 
How is your antispam configured?  Are you checking for a matching e-mail address or domain in REQUIRE AUTH MATCH under SMTP IN?
 
Are you checking for rDNS in your SmarterMail spam checks?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
3
kevind Replied
Bruce, thanks for the reply. I think we have everything set up properly as it works 99% of the time. Answers:
  • Version 14.4.5801 (upgrading to 14.5 tomorrow)
  • Protocol Settings -> SMTP In
  • Antispam Administration -> Spam Checks -> Reverse DNS
    • weight is equal to the threshold for blocking
    • both Filtering and Incoming SMTP blocking are checked
Also, there are no 'negative' spam checks for this email. I've seen a negative score for SPF combine with a ReverseDNS score to fall under the SMTP Block threshold. Then of course ReverseDNS would be in the X-SmarterMail-Spam: header line, but it's not.
 
I'm thinking that this message is making it through because it's coming in on a port other than 25, or it has a null value for MAIL FROM:, or the HELO looks like an IP address. But I tried all these and couldn't duplicate.
0
Bruce Barnes Replied
Is the sending e-mail address or domain whitelisted or SMTP bypassed at the SmarterMail administrative level?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
3
kevind Replied
No, I looked and didn't see anything in the whitelist, SMTP bypass, or Trusted Senders that would let this through. If there was, I think it would score 0 and say whitelisted, but it scored over 30 points and went into quarantine.
 
I subscribe to the philosophy that nothing should be trusted or whitelisted unless it can be validated. See my comments/ideas here: http://portal.smartertools.com/community/a86864/why-not-validate-trusted-senders.aspx
 
If SM shows UnknownHost in the message header, doesn't that mean Reverse DNS not found? Idea: SM could show the results of the Reverse DNS lookup in the log file:
  • Found and list the FQDN
  • No PTR record
  • Problem with DNS (e.g. timed out)
I think there might be a loophole here; just not able to figure out what it is.
0
kevind Replied
Changing this from a Question to a Problem as it looks like others have experienced this...

http://portal.smartertools.com/community/a75/reverse-dns-spam-check-never-failing.aspx
4
David Jamell Replied
I'm seeing the same in  SM 15.3.6081.
 
I saw this message come in this morning that was clearly spam, so I investigated.
 
This is the SMTP Log for the session:
 
[2016.12.09] 07:18:01 [84.244.60.35][59632797] rsp: 220 vps10.jamelldigital.com  Fri, 09 Dec 2016 13:18:01 +0000 UTC
[2016.12.09] 07:18:01 [84.244.60.35][59632797] connected at 12/9/2016 7:18:01 AM
[2016.12.09] 07:18:01 [84.244.60.35][59632797] cmd: HELO 84.244.60.35
[2016.12.09] 07:18:01 [84.244.60.35][59632797] rsp: 250 vps10.jamelldigital.com Hello [84.244.60.35]
[2016.12.09] 07:18:01 [84.244.60.35][59632797] cmd: MAIL FROM:<>
[2016.12.09] 07:18:08 [84.244.60.35][59632797] rsp: 250 OK <> Sender ok
[2016.12.09] 07:18:08 [84.244.60.35][59632797] cmd: RCPT TO:<admin@timenglishandassoc.com>
[2016.12.09] 07:18:08 [84.244.60.35][59632797] rsp: 250 OK <admin@timenglishandassoc.com> Recipient ok
[2016.12.09] 07:18:08 [84.244.60.35][59632797] cmd: DATA
[2016.12.09] 07:18:08 [84.244.60.35][59632797] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2016.12.09] 07:18:09 [84.244.60.35][59632797] rsp: 250 OK
[2016.12.09] 07:18:09 [84.244.60.35][59632797] Data transfer succeeded, writing mail to 431200245377.eml
[2016.12.09] 07:18:09 [84.244.60.35][59632797] cmd: QUIT
[2016.12.09] 07:18:09 [84.244.60.35][59632797] rsp: 221 Service closing transmission channel
[2016.12.09] 07:18:09 [84.244.60.35][59632797] disconnected at 12/9/2016 7:18:09 AM
And the corresponding Delivery Log Session:
 
[2016.12.09] 07:18:09 [45377] Delivery started for  at 7:18:09 AM
[2016.12.09] 07:18:12 [45377] Error checking SPF Record: Spf check failed due to null sender's domain
[2016.12.09] 07:18:15 [45377] Spam check results: [BARRACUDA - BRBL: passed], [CBL ABUSE SEAT: passed], [HOSTKARMA - BLACKLIST: passed], [MAILSPIKE Z: passed], [RFC2 REALTIME LIST: passed], [SORBS 02 - HTTP: passed], [SORBS 03 - SOCKS: passed], [SORBS 05 - SMTP: passed], [SORBS 08 - BLOCK: passed], [SORBS 09 - ZOMBIE: passed], [SORBS 11 - BAD CONFIG: passed], [SORBS 12 - NOMAIL: passed], [SORBS 13 - NOSERVER: passed], [SPAMCOP: passed], [SPAMHAUS - PBL 1: passed], [SPAMHAUS - PBL 2: passed], [SPAMHAUS - SBL 1: passed], [SPAMHAUS - SBL 2: passed], [SPAMHAUS - XBL 1: passed], [SPAMHAUS - XBL 2: passed], [SPAMHAUS - XBL 3: passed], [SPAMHAUS - XBL 4: passed], [SPAMHAUS - ZEN: passed], [SPAMRATS: passed], [SURRIEL: passed], [VIRUSRBL - MSRBL: passed], [_REVERSEDNSLOOKUP: failed], [_BAYESIANFILTERING: passed], [_DK: None], [_DKIM: None], [NO ABUSE: passed], [NO POSTMASTER: passed], [SEM-URIBL: passed], [SEM-URIRED: passed], [SORBS 04 - MISC: passed], [SORBS 06 - RECENT: passed], [SORBS 07 - WEB: passed], [SORBS 10 - DYNAMIC IP: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL ??? JWSPAMSPY: passed], [SURBL ??? MALWARE: passed], [SURBL ??? PHISHING: passed], [SURBL ??? SA BLACKLIST: passed], [SURBL ??? SPAMCOP WEB: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: failed], [UCEPROTECT LEVEL 3: passed], [URIBL BLACK: passed], [URIBL GREY: passed], [URIBL MULTI: passed], [URIBL RED: passed]
[2016.12.09] 07:18:18 [45377] Starting local delivery to admin@timenglishandassoc.com
[2016.12.09] 07:18:18 [45377] Delivery for  to admin@timenglishandassoc.com has completed (Forwarded Deleted) Filter: None
[2016.12.09] 07:18:18 [45377] End delivery to admin@timenglishandassoc.com
[2016.12.09] 07:18:21 [45377] Starting local delivery to djamell@jamelldigital.com
[2016.12.09] 07:18:21 [45377] Delivery for  to djamell@jamelldigital.com has completed (Delivered) Filter: None
[2016.12.09] 07:18:21 [45377] End delivery to djamell@jamelldigital.com
[2016.12.09] 07:18:21 [45377] Delivery finished for  at 7:18:21 AM	[id:431200245377]
And here is the Header of the received message:
Return-Path: <>
Received: from 84.244.60.35 (UnknownHost [84.244.60.35]) by vps10.jamelldigital.com with SMTP;
   Fri, 9 Dec 2016 07:18:08 -0600
Received: from unknown (HELO localhost) (cboquin@uralpost.ru@195.115.179.98)
	by 84.244.60.35 with ESMTPA; Fri, 9 Dec 2016 21:22:24 +0800
X-Originating-IP: 195.115.179.98
From: cboquin@uralpost.ru
To: admin@timenglishandassoc.com
Subject: Take a look at good health products
Date: Fri, 9 Dec 2016 21:08:45 +0800
Message-ID: <495589216bd44465bcc19e8541790e77@com>
X-SmarterMail-Spam: Reverse DNS Lookup, DK_None, DKIM_None, UCEProtect Level 2
X-SmarterMail-TotalSpamWeight: 4
X-Antivirus: avast! (VPS 161208-3, 12/08/2016), Inbound message
X-Antivirus-Status: Clean
 
I suspect the MAIL FROM:<> as part of the problem.
 
I've followed Bruce's Antispam Guide and have confirmed all of the things Bruce has asked about in this thread as being setup properly.
 
0
kevind Replied
I agree that MAIL FROM:<> could be the problem. Seems like that bypasses several SM spam checks including greylisting. This gives spammers an open door which is not good.

Be sure to vote for this thread so that SM can recognize it as a problem and fix.
5
kevind Replied
Just wishing this thread a Happy Birthday as it's over a year old. It looks like the problem is that when a spammer sends email using a null sender (MAIL FROM:<>), SmarterMail skips many of the spam checks. A null sender is basically a 'get in free' card for spam.
 
Requested Fix: SmarterMail should apply anti-spam features (PTR check, greylisting, etc.) to messages from Null Senders.
 
Would be nice if this could be checked into the 15.6 build so we don't have to wait for 16. Thanks!
5
kevind Replied
Requesting that this vulnerability be fixed in 15.7.
 
Spammers are currently exploiting this 'open door' to send spam to SmarterMail servers. Thanks.
5
echoDreamz Replied
We have had constant issues with the RDNS checks in SmarterMail, it is nearly useless. Declude's RDNS check does a much much better job. We've had emails come in that have absolutely no reverse DNS entries at all, SmarterMail? SmarterMail just says "SURE!!! COME ON IN!!!". I think they are using the built in .net Dns.GetHostEntry method, which in our testing, is extremely hit and miss.
 
We did a test with 5,000 unique IP addresses we collected from our logs randomly over a month. Ran all of them through the built-in .net methods vs. using the SimpleDNS .net library vs. an API service (viewdns.info).
 
The SimpleDNS and ViewDNS.info APIs came back with the exact same results. The .net methods were all over the place, IP addresses that had previously passed, were now failing, even though there was nothing wrong with them. IPs that had no PTR records were coming back OK, just all over the map.
 
IMO - SmarterTools needs to do a better implementation of the reverse DNS checks. Including an option for verifying that the reverse / forward DNS entries match

Christopher

0
kevind Replied
+1 for adding a Forward Confirmed reverse DNS (FCrDNS) check and assigning some points if that failed. There used to be a thread on it somewhere in this forum, but I couldn't find it.

More info on FCrDNS at https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
3
kevind Replied
Just received a spam message with no PTR:
Return-Path: <Enhance-Brain-Power@thing.improvememorythrough.us>
Received: from thing.improvememorythrough.us (UnknownHost [45.34.144.244]) by mydomain.com with SMTP;
Date: Wed, 09 Aug 2017 13:41:08 -0700
Content-Type: text/plain
From: Enhance Brain Power <Enhance-Brain-Power@thing.improvememorythrough.us>
Subject: Celebrities like Robert De Niro are using brain-enhancements to easily memorize their lines.
and it reminded me to check on this thread because IPs with no PTR should be blocked.
 
I noticed that Return Path was not null, so that supports C. York's comments above.
 
Hoping this issue can be solved to help reduce spam. Thanks.
0
echoDreamz Replied
We have emails that come in daily that either have no ptr at all or do and it improperly flags them. It’s been like this since for as long as I can remember. I wish SmarterMail had a spam api that you could tie into, we would just write our own checking utility.

Christopher

0
kevind Replied
Doesn't seem like you should have to write your own code to fix defects in software that you're paying for. :)
0
echoDreamz Replied
It is not an issue directly with SmarterMail itself. It’s the .net dns resolver methods that are finicky at best.

Christopher

0
kevind Replied
Still their issue. When you buy a car with defective airbags or tires, the manufacturer takes responsibility.

Regardless, there's still a bug here. When SM receives a message with null sender (MAIL FROM:<>), many of the spam checks (PTR check, greylisting, etc.) are skipped.
0
echoDreamz Replied
The null / empty sender issue has been fixed in a minor release scheduled for tomorrow - See - https://portal.smartertools.com/community/a89457/vulnerability-no-spam-checks-for-null-senders.aspx

Christopher

0
echoDreamz Replied
I really wish they would allow FCDNS checking... We got blasted with about 1000 emails from 192.140.23.124. IP is not listed in Spamhaus etc. So it got through RBL checks. Cyren knocked it down, but still, that is extra content processing that should not be needed.

http://multirbl.valli.org/lookup/192.140.23.124.html

Has no FCDNS though, so IMO, this should fail. Your IP is same issue, no PTR at all, but still passed through. This is why I wish SM had a spam API, I'd write my own REVDNS checker and call it a day. We had our own with Declude, but we stopped using it due to instabilities with it.

Christopher

3
Derek Curtis Replied
Employee Post
Just to piggy back on what Chris mentioned, yes, the null/empty sender issue is fixed and will be in the next minor. 
 
As for reverse DNS, we've looked at the solutions mentioned as well as some others. This is another area we'll focus on for a future release. Thanks for bringing it up and for the suggestions. 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
1
echoDreamz Replied
I hope it is fixed soon... Received 22 spam emails today, all of them had ZERO ptr records, just flew right on through.

Christopher

0
kevind Replied
For anyone reading this, here's a new thread to vote for FCrDNS: https://portal.smartertools.com/community/a88965/reverse-dns-check-improvements.aspx
0
kevind Replied
For anyone reading this, here's a thread to vote for FCrDNS:
https://portal.smartertools.com/community/a88965/reverse-dns-check-improvements.aspx
2
kevind Replied
Just checking on the status of this issue. It continues to be a problem in v15.7, but seems to occur randomly. Here's a spam message received earlier today with no reverse DNS.  It should have scored 30 points and been rejected during SMTP.
Return-Path: <Znfra.Iryan_1m@fullpof1.thistimetochange10.onmicrosoft.com>
Received: from free.profitgainless.com (UnknownHost [66.71.245.102]) by mail.smartermail15.com with SMTP;
    Thu, 22 Feb 2018 14:47:08 -0500
MIME-version: 1.0
Content-type: text/html
To: user@smartermail15.com
from: =?UTF-8?Q?=54=68=65=20=55=6C=74=69=6D=61=74=65=20=52=65=65=6E=65=72=67=69=7A=69=6E=67=20=50=72=6F=74=6F=63=6F=6C?=<HHgyRlMA.gvipiinkiq_NGR6Rgtibi445KNIcG@physics.metu.edu.tr>
Sender: <Nde4j1mKY.blqkpmbqtkb_16462_NGR6Rgtibi445KNIcG@email.amazonses.com>
Reply-To: <bounce-7003_HTML-310263742-12205-7215456-541717@bounce.s7.exacttarget.com>
Subject: =?UTF-8?Q?=49=74=27=73=20=46=69=6E=61=6C=6C=79=20=48=65=72=65=21=20=54=68=65=20=53=6F=6C=61=72=20=50=61=6E=65=6C=20=22=4B=69=6C=6C=65=72=22=20=49=73=20=4F=6E=20=54=68=65=20=4D=61=72=6B=65=74=2E?=
Date: Thu, 22 Feb 2018 14:26:33 -0500
Message-ID: <f2d44a7293344c98b77ae5536fa7ff2b@com>
X-Exim-Id: f2d44a7293344c98b77ae5536fa7ff2b
X-SmarterMail-Spam: SPF_Pass, Commtouch 20 [value: Confirmed], DKIM_None, Custom Rules []
X-CTCH-RefId: str=0001.0A020201.5A8F1DF4.0147,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
What would allow it to slip through?  Because it passes SPF?  The log says it passes the reverse DNS check, but we checked all DNS servers in use and none of them have a PTR record for this IP.
0
kevind Replied
Wow, Happy 2nd Birthday to this thread. Time flies.
0
kevind Replied
FWIW, in case anyone is interested, the subject of this message is:
It's Finally Here! The Solar Panel "Killer" Is On The Market.
:)
3
kevind Replied
Saw this post about UnknownHost which reminded me of this thread. So just checking to see if this item is still on the list to be fixed.
Thanks.
3
Paul Blank Replied
I hope you're not holding your breath while waiting for a fix.
0
Hemen Shah Replied
Kevin, i have similar issue of Received from unknown host thing, my ask here is which setting in SM by which it can identify Received from MX host / IP (instead of local PC/ISP info)
E.g: from your above snapshot it reads as below wherein the IP 66.71 is your ISP IP and not your MX IP or host,

Received: from free.profitgainless.com (UnknownHost [66.71.245.102]) by mail.smartermail15.com with SMTP;
0
kevind Replied
Nope, lol. After 2.3 years, I guess I should give up. Would hope core email functionality would take priority vs. adding new features like video conferencing.
0
Matthew Leyda Replied
O come on now. You need iPhone browser support, Calendars and Chat. Tim will tell you so. Nobody wants email to work anymore.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
kevind Replied
Hemen, not sure I fully understand your question, but I'll see if I can answer.

The 66.71.245.102 is the IP that is sending the message to our server. SmarterMail does a reverse DNS and finds no PTR record, so it puts UnknownHost next to the IP. This should score 30 points and the message should be blocked, but somehow it makes it through.
0
kevind Replied
rofl, I might have 1 user out of 5000 that checks webmail on their phone. Everyone wants to use the native email client on their mobile device because that's how icloud, gmail, outlook, yahoo, aol, and every other mail provider does it.

If only SmarterMail could offer EAS for $199/server like EWS and MAPI we'd be in business.
0
Paul Blank Replied
I have ZERO users who use webmail on their phone. Nobody has ever asked for it as an option. ONE user asked for it on an iPad some time ago, but the IOS app is totally fine for them. Everyone uses an app for that (or the phone's built-in email). Needless to say, they need email more than anything else.

For one, "Nine" email works great with EAS for mail and calendars (it's in beta for IOS, have installed it on a few Android phones). We're not sensitive to the price of EAS on SM. Cheaper is always better, all other things being equal, but it's not an issue.
0
Hemen Shah Replied
Kevin, i understood that but my practical issue is, i am on network which is using particular ISP connectivity now from this network when i send email using smartermail domain the IP is question which is shown in Received from is of ISP which will never has PTR record coz that is a internet service provider, now i want that instead of that it should show mail server IP so that at recipient end it validates properly, hope ya got my point
0
kevind Replied
If I understand correctly, you will need to talk to your ISP and have them add a PTR record. There is no way to do that from within SmarterMail. Adding this will help with your message delivery as many servers block for no PTR record.
0
Benjamin Breedlove Replied
Can you please send a weblink for the documentation of the NULL Sender options?

Reply to Thread