Reverse DNS Check Improvements
Idea shared by echoDreamz - May 16, 2017 at 11:42 AM
Completed
Right now it seems that SmarterMail only does the reverse verification when doing reverse DNS checks, it does not do any forward confirmations either.
 
For example, mail server connects with IP 1.2.3.4 which resolves to mail.server.com, however mail.server.com resolves only to 15.16.17.18. To me this seems like an issue. Especially when many DNS providers will not setup RDNS entries unless the hostname is also forward confirmed.
 
IMO SmarterMail's RDNS checks should also perform forward lookup checks to make sure the entire cycle is completed.

Christopher

51 Replies

Reply to Thread
1
+1 Please add a FCrDNS check.
https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS

It would be nice to score this as SMTP reject might be a little aggressive.
1
Just posted a link to this from another thread. Suggest renaming the title to Forward DNS or FCrDNS Check Improvements so that more people can find and vote for it.
8
Wanted to bump this thread as I saw lots of spam with no FCrDNS over the weekend.
 
Many spammers don't bother to set up FCrDNS or they spoof a domain like iCloud.com where they set up a fake PTR record, but it's impossible to set up forward DNS because they don't control the domain.
 
If SmarterMail could score this, we could add points and block a lot more spam.
  • 30 points for no reverse DNS (already exists)
  • 20 points for no forward DNS
  • 10 points for forward DNS does not match original IP
BTW, for anyone interested in checking FCrDNS, just go to http://multirbl.valli.org/
0
That is exactly what I was hoping they would do. A score for no rDNS at all as well as a score for no matching FCrDNS. I'd say, at least 75% of the same that makes it to my inbox have no FCrDNS. Or have no rDNS at all, but make it through SmarterMail's rDNS checks.

Christopher

4
Recently some other Ideas with only 2 or 3 votes got replies from ST and marked as Planned. One was even Completed in less than a week!
 
Not sure how some ideas get chosen and others are ignored, so I wanted to bump this idea (with 10 votes) to the top as it would be easy to implement and be very beneficial in blocking spam.
 
Thanks!
5
OK, not sure why this thread is ignored with 11 votes. Another thread where 1 person is having an isolated issue gets replies from tech support, developers, and community.
 
Chris posted an awesome idea that would help EVERYONE tag and reject spam. Can we please make it a priority and add it to v15?  Here's a sample result for a spammer's IP entered at http://multirbl.valli.org/

FCrDNS TestrDNS for IP 212.83.135.251

212-83-135-251.rev.poneytelecom.eu

OKIP Addresses (A or AAAA records) for 212-83-135-251.rev.poneytelecom.eu

No record found! Failed

Allowing this to score and block for 10-20 points would be a great addition.  And while we're there, add a checkbox to the Null Sender check so it can block in addition to score. Thanks!
0
Good question, Maybe it will be in Version 17 or 18.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Yep, we received a flurry of spam emails yesterday. I believe the RDNS was 127-63-173-68.chicago, not even a routable hostname, but SM let them right on in.

Christopher

6
I'd be so bloody happy with SMTP Blocking for connections that provide a HELO/EHLO that does not pass a FCrDNS! It would significantly cut down the amount of traffic our Incoming Gateways have to process by at least a third...coupled with an aggressive Denial of Service IDS Rule and we wouldn't have to answer repeat requests after the first 10 failed attempts, reducing the load even further.
 
On another note, not sure if there is any causation with this or not (as honestly I've been too swamped post-v16 to do an Audit to quantify it) but Spam Filtering in v16 does not seem nearly as effective as it once did, even when running ARM Message Sniffer & Declude...although a lot of it seems to be Zero Hour Spam that Senderbase & Barracuda both have flagged by the time that I manually run a check on an email that I received in my Inbox where Smartermail scored < 10...(and if sent to a Forwarder ARM Message Sniffer catches it on the way back out) but almost all of that Zero Hour Spam seems to be from servers that always fail FCrDNS as they are setup with generic rDNS such as 162-144-37-3.unifiedlayer.com or hosted-by.snel.com or no-rdns-yet.ukservers.com. SMTP Blocking for failed FCrDNS in SmarterMail would help us out a lot with Zero Hour Spam.
0
Declude for us used a pretty decent load on our CPUs, and would hang quite often backing up our spool. So it was a no go. Cyren, whenever they have data-center issues or routing problems, our spool backs up. Emails that it sometimes classifies as "Suspected" are so not even close to suspected, but then it will turn around and give an absolutely blatant spam email a score of 0.

SpamAssassin that comes with SM is a no go at our level of processing and running multiple external SpamAssassin boxes is just too much babying and hand holding and SpamAssassin as a whole seems lacking.

We've also had customers ask why arm's website is so poor looking and it gives them a negative association with Message Sniffer, vs. Cyren has a very modern and clean website, which makes the customer feel all warm and fuzzy.

We've even done URIBL and other paid blacklists, getting decent anti-spam just seems impossible today.

Christopher

0
I'm using SpamHero and it does a credible job. Nice feature set.
0
Even their $100 per month enterprise only does 200k emails per month inbound. We process that per hour lol. The cost for this would be nearly 4 times what Cyren is unfortunately as well as add the fact we have to go through thousands of domains and update MX records is a bit much.

Christopher

5
As the spam rolls in from IP addresses that fail FCrDNS, here is what it looks like when you plug the IP in at http://multirbl.valli.org. If this test was added to v15 and v16 for scoring and blocking, it would really help reduce spam.
 
 
Like the new feature that allows you to add a pic without having to upload it to a 3rd party website.  Nice work SmarterTrack team!
5
Here's a variation of this test result -- the reverse DNS name (PTR record) does point to a legitimate IP, but the IP doesn't match the sending IP.
 
This result could be scored a bit less, maybe 10 points. But when there's no forward IP at all, like in example from previous post, score it at 20.
0
Like they do with SPF check. Pass Weight, Fail Weight, SoftFail Weight -----
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
4
Wow, this feature (FCrDNS) would really be useful today. Lots of Cyber Monday spam coming from cloud servers @ AWS and other places...
 
Today's bad actor is Chi Networks for allowing their cloud servers to be used for spamming...

Test result courtesy of http://multirbl.valli.org.
0
Yep, us to! Quite a few complaints today, all the ones I checked came from emails that contained no FCrDNS....

This certainly could not take ST long to implement into SM...

Christopher

0
Funny too, we had quite a few emails come from the IP you provided. They got a few hundred emails into our system before Spamhaus listed them.

Christopher

7
This is still a MASSIVE issue.
 
178.211.35.212 had several thousand connections for about 2 hours, the RDNS for this? ".". Literally a dot. SmarterMail? SmarterMail cool with this... I mean come on...

Christopher

6
Absolutely! This feature needs to be added to both 15.x and 16.x.
 
This idea has 15 votes and will only take a few days to code and test. Compare it to the MAPI Support idea which only has 6 votes and will probably take over 6 months to code and test!
 
ST, please listen to your customers. Isn't that what this forum and the whole voting thing is for? Please reply as there aren't any ST posts in this thread.
 
Thanks!
3
And today, customer calling very upset complaining he wasnt getting account verification emails from Microsoft. We check the logs to show that SPF checks are returning as _SPF (Fail). Ran a quick test online using Kitterman's SPF test utility and it shows it should have passed.
 

Mail sent from this IP address: 104.47.41.49 
Mail from (Sender): account-security-noreply@accountprotection.microsoft.com 
Mail checked using this SPF policy: v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all 
Results - PASS sender SPF authorized


Mail sent from this IP address: 104.47.41.49 
Mail Server HELO/EHLO identity: NAM03-DM3-obe.outbound.protection.outlook.com 

HELO/EHLO Results - PASS sender SPF authorized

After looking in the logs...

18:06:42 Running SPF check on 

18:06:42 SPF Fail.  IP: 104.47.41.49, Sender: microsoft account team, FailReason: Malformed Domain

SPF Record: 
18:06:42 Finished SPF check on 
 
Really? SmarterMail is doing a check on "microsoft account team" to try and do an record lookup? WTH??

Christopher

0
This is affecting us too badly.. we get for example lots of emails from @gmail.com accounts that we know are legitimate and SmarterMail is failing for them both the SPF check and saying they are Null Senders, so overall these emails get a high SPAM score.

What is going on and why is this not fixed yet SmarterMail? Most likely these started happening in the latest version 16.3.6544 (Dec 1, 2017), so I guess there must be a lot of people affected.
0
FWIW, we're not seeing this in 15.x.
4
We have been fighting spammers all weekend... from hundreds of different IPs. ALL of them have no valid FCRDNS. I really really really hope this is being added into SM 17. This is so simple to do...

Christopher

0
Why not add it to v15 and v16 if it's simple to do?
6
Spent the last few hours analyzing thousands of spam messages that have been coming in all weekend. It's what email admins do on Sundays, Fundays.  :)
 
My results are the same as echoDreamz -- no valid FCrDNS. Lots of spam from temporary servers that get set up quick at AWS and other cloud providers.  Here's a sample header:
Return-Path: <>
Received: from 6hostlodge.com (162-144-123-96.unifiedlayer.com [162.144.123.96]) by mail.example.com with SMTP;
   Sun, 21 Jan 2018 14:43:52 -0500
MIME-version: 1.0
Content-type: text/html
To: user@example.com
from: DerekEvans<Today@eeoo.co>
Subject: Are***your**FAT**CELLS***deaf?
Date: Sun, 21 Jan 2018 14:24:31 -0500
Message-ID: <b24efd36c1734bfcac1dec849fac6c74@com>
X-Exim-Id: b24efd36c1734bfcac1dec849fac6c74
Having an FCrDNS check that would assign 10-20 points would be soooo beneficial in blocking spam.
 
Others agree as this idea is one of the TOP 10 most-voted-for enhancement requests!
2
Matt Petty Replied
Employee Post
Hello,
 
    This has been implemented in SmarterMail 17, It will be under the Reverse DNS anti-spam settings. There will be a new toggle button and a text field. One for turning Forward-Confirm on, and the other providing a ForwardFailed weight. So Reverse DNS will no longer be just failed or passed. It will have Passed, ReverseFail, ForwardFail, with the latter two having their weights individually configurable.
If you got any questions about it let me know.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
<3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3 <3

Christopher

0
Are you guys using a better lookup engine than the crappy internal built .net one? We ran all sorts of tests internally and found the "built-in" .net methods to be unreliable.

Christopher

0
Matt Petty Replied
Employee Post
I will look into some other ways we can do the lookups. We've already evaluated other options, I'll see about moving at least this over to it for now and running some tests.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
We’ve found that the SimpleDNS built dns lookup library is amazing. It’s free to use and has no limitations. https://simpledns.com/dns-client-lib We’ve put this poor little library through hell and it’s come out a winner every time.

Christopher

2
I do not want to be categorized as a "whiner" (again), but this feature should surely be incorporated into v15 for those who want to stick with the old UI. Please understand that forcing folks onto the new UI may cause more of them to abandon SM altogether. I am far from the only one with this opinion.
 
Take a look at this thread:
ttps://portal.smartertools.com/community/a90362/goodbye-and-good-luck.aspx
 
It remains my humble opinion that the email/calendar engine should be bulletproof, and work as well as possible with (at least) as many versions of Outlook as Microsoft supports with their server products, and that BOTH SmarterMail UIs should be available to all admins on a per-login basis, if desired.
 
0
While I agree, they cannot support v15 forever and keep backporting features in, they have to draw the line and focus forward... SmarterMail supports IMAP, so it should in theory support even the oldest versions of Outlook and any other client that follows the IMAP specs.

The more advanced features like EAS, EWS etc. surely cannot be catered to all versions of Outlook and a line must be drawn somewhere. Supporting 8+ year old versions of an email client may make things worse for newer Outlook clients.

Though, older versions of Outlook can still always access SM through IMAP. Hell, we have a few clients that STILL USE OUTLOOK 2003! - On IMAP of course, but it works and they are happy (when our SmarterMail server isnt crashing for some new or continued issue). I am glad to see that MAPI is being done for 2013+ as those are at least more modern versions of Outlook that support these great new features.

Christopher

2
There is a difference between "a few more years" and "forever."
 
I have a client that is still using SM v11 (40 users) and it runs very well indeed*; and I know of a couple of others on v11/v12 that have very few complaints. Another client is running a several-years-old install of hMailserver +Squirrelmail (12 users) under Windows Server 2012, which needs close to zero maintenance.
 
Both of these clients use Symantec Email Security.cloud for incoming/outgoing virus/spam/malware filtering, so no detected bad incoming emails touch their mail server. This keeps traffic off of the WAN circuit, and lowers the maintenance overhead for the entire email system. In SM, it removes all that anti-spam etc. system and maintenance overhead (the cloud service required maintenance is astonishingly low, and actually getting better still).
 
SmarterMail v15 incorporates all the accumulated knowledge and patches to date, with that familiar UI. There's no reason that it shouldn't/couldn't be kept going for some time now.
 
As I and others have stated, forcing us off of that UI will quite possibly cause us to leave SM. That said, "the cloud" continues to beckon, and most of us will end up there sooner or later, for better or worse.
 
*Are they using all of SM's features? Like most users, NO. They use email, and some use the calendar. Administratively the archive feature is very powerful and good to have. That's about it.
 
5
Matt, nice work! Glad to hear that this is scheduled for ver 17.
 
But there's one more return code that needs a separate score:
  • 30 points - no reverse DNS (ReverseFail - already exists)
  • 20 points - no forward DNS (ForwardFail - just added for v17)
  • 10 points - forward DNS does not match original IP (*please add*)
For anyone interested, these 3 FCrDNS options can be tested at http://multirbl.valli.org/
 
Thanks,
Kevin
 
0
Matt Petty Replied
Employee Post
Yea I currently issue a ForwardFail for a mismatch on the IP. I'll add another result specifically for having IP's but not matching.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
This has been implemented, added "ForwardMismatch".
So now that brings us to
ReverseFail
ForwardFail
ForwardMismatch
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Great, this additional result will be appreciated! Just received a spam message from:

Return-Path: <noreply@e.fiverr.com>
Received: from 76anniestandard.com (no-reverse-dns-configured.com [80.82.70.135])

which passes the first 2 tests, but fails the ForwardMismatch.
1
We need this badly... http://multirbl.valli.org/lookup/23.228.103.179.html this IP range has been killing us all weekend. NO REVERSE DNS AT ALL, but SM lets it in.

Christopher

0
Though the improvements wont work, we need a more stable rDNS lookup system.

Christopher

0
FWIW, looks like that IP is passing rDNS this AM.

Would really like it if v15 & v16 could get this enhancement as v17 is probably 6 months away after beta,, release, and bug fixes.
3
Any chance this could get added to v15 & v16, especially since v17 is probably 6 months away from production use (after beta, release, bug fixes, etc.)?
 
FWIW, I bet many customers would continue to pay for Upgrade Protection on v15 if they could get small enhancements like this.
 
Here's another anti-spam feature that would be nice to get into v15:
 
0
http://multirbl.valli.org/lookup/23.228.103.179.html this IP is still failing. Fails at mxtoolbox https://mxtoolbox.com/SuperTool.aspx?action=ptr%3a23.228.103.179&run=toolpage as well.

Christopher

0
Strange, when I click the multirbl link, it passes all 3 tests...

rDNS for IP 23.228.103.179
lab179.ynguwan.com
OK

IP Addresses (A or AAAA records) for lab179.ynguwan.com
23.228.103.179
OK

At least one IP address of the DNS lookup for lab179.ynguwan.com matches the original IP
OK
0
Matt Petty Replied
Employee Post
Chris, at some point during the beta or maybe some point this week I will look into the alternative DNS solution and start working on it.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
We use sImple DNS .. for our actual DNS .. and for DNS lookup libraries.. and as pointed out by
@echoDreamz   (March 1 at 12:40 PM, same thread) . The lookup/libraries do tend to work well... BUT, would like to try to better integration.  So not sure if that can be used as third party lookup.. but it would be great if it were to be integrated
1
Matt Petty Replied
Employee Post
I've swapped out the methods for DNS lookup in SPF and rDNS checks with DNSClient after running some tests. We've got this running on our server and the checks are performing well. After some time in Beta we could maybe scale this out to the other areas.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
This was the result of the test. I wouldn't pay too much attention to (X Errors) as some libraries return errors for domains not existing while others return a blank result. Both are counted the same, so there is no point in looking at "Errors".
https://carbonitex.net/share/MultipleDNSTest_2018-03-16_y9hFbeYP.png
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
We did a fairly large test here as well with 5000 unique IPs gathered from our logs. Used the .net built-in methods, SimpleDNS and the ViewDNS HTTP API.

Simple and ViewDNS returned the same results, IE failures when there should be, no failures when there shouldn't, but the .net methods were all over the place.

Though the SimpleDNS lib is quite old and built on .net 2.0 I believe. I assume for DNSClient, you are meaning the MichaCo library? This one at least supports newer .net technologies and fully supports async / await.

I am curious though, your results, DNSClient, Simple and SmarterTools are close in their query counts, whereas, Heijden and DotNet are almost a full 1000 off.

Christopher

0
Matt Petty Replied
Employee Post
I didn't spend a ton of time deeply investigating each library, except for ours and DNSClient's since I pretty much ran through the code while performing some of the conversions. It's been a fairly busy week but I had a couple spare hours and someone else on the team had mentioned Heijden to me so that was actually put in quite quickly after all the others. I may further investigate what Heijden's and DotNet's problems were but with the 18 beta drawing close, our attention lately has focused on making sure everything is perfect.

The power of NET Core will be awesome. It's important to stay up to date so I was kind of excited about this new library. Makes moving forward easier in the future.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
RFC 7601 has a section on this subject.   For some reason, they call it "iprev' instead of "FCrDNS".   That RFC describes message header syntax so that a perimeter device which does spam filtering can communicate Authentication-Results to a mail server or mail user agent.   Iprev is included for completeness, but the corresponding commentary indicates it is not considered an effective test for spammers.   There is a link in that document to a more extensive description of the issues in another document which was not given an RFC number.  I think you will find that this test generates a lot of false positives. 

Reply to Thread