5
FCrDNS shouldn't allow CName
Problem reported by kevind - 1/21/2025 at 12:59 PM
Submitted
Seeing a decent amount of spam from IP addresses that fail FCrDNS. However, when I look at the SmarterMail spam score on these messages, there are no points added for FCrDNS.

If you plug the IPs into MultiRBL, it shows "No Record Found - Failed" for FCrDNS. Here are some example IPs:
  • 142.202.188.114
  • 142.202.188.117
  • 209.126.105.20
I'm not a DNS guru, but looks like these IPs are using CName records to trick SmarterMail. According to RFC, PTR records must point back to a valid A record, not an alias defined by a CNAME.

So request that SmarterMail adjust the check to only allow A or AAAA records for FCrDNS. Thanks!

13 Replies

Reply to Thread
0
Brian Bjerring-Jensen Replied
Getting increased amount of spam on 9124 versus 8930.
2
Kyle Kerst Replied
Employee Post
Do you have some example EMLs we could take a look at? I know they won't help us simulate rDNS/forward confirm but they may allow us to find examples of it happening in our own environments that we can use to find a solution for you. 
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Brian Bjerring-Jensen Replied
what email do you prefer to receive them on?
2
Terry Froy Replied
RFC2317 (Classless IN-ADDR.ARPA delegation) specifically permits and encourages the use of CNAMEs in this scenario.

RFC2181 (Clarifications to the DNS Specification) clears up the confusion relating to the statement 'PTR records must point back to a valid A record, not an alias defined by a CNAME.

2
kevind Replied
Yes, per RFC, "PTR records must point back to a valid A record, not an alias defined by a CNAME."

@Kyle, do you need any more info from me?  I could send you .EML files but they would just have the IPs listed above which fail FCrDNS at MultiRBL but don't get scored in SmarterMail. Thanks.
1
Kyle Kerst Replied
Employee Post
If I'm understanding correctly I don't think I should even need the EMLs most likely. Just to confirm, you're using this option in SmarterMail here correct?
And with that in place you're seeing them not be scored though the rDNS links back to a CNAME? Thank you!
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
3
kevind Replied
Kyle, yes, that's exactly how we have Reverse DNS configured (our scores are a bit different).

And we're not seeing any scoring on messages that the Forward Confirm of rDNS uses a CNAME. According to RFC and MultiRBL, the FCrDNS should use an A record. So this is one way spammers are sneaking thru. Thanks!
0
Douglas Foster Replied
I have been using forward-confirmed DNS on both HELO and RDNS for a long time.  I can provide a Python script, callable from Declude, if others want to start using fcDNS tests immediately.

I don't understand why CNAME matters, and have never tested for it.   I would be interested in having someone clarifiy that concern.

For verifying server names, I assume that the server name is verified if:
- fcDNS on HELO is true, or
- fcDNS on ReverseDNS is true AND the HELO name is in the same PSL organization as HELO.

(EDIT:  In the statistics below, the middle statistic was originally mislabeled.)

I don't use fcDNS results directly for dispositioning, but they are a powerful clue.  These are my results:
121% HELO unverified
4.3% ReverseDNS verified but unrelated to unverified HELO
63.8% HELO verified by fcDNS directly

Note: Outlook.com is the primary source of indirect verification, because their HELO names never confirm but ReverseDNS names always do and both names have the same parent domain.

Here are my percentages for messagse that are allowed to proceed to content filtering, after all sender verification tests are applied:

HELO verified directly, 90% allowed
 ReverseDNS verified but unrelated to unverified HELO, 7.1% allowed
HELO not verified, 2.9% allowed

3
kevind Replied
More spam today from IPs that fail FCrDNS, but unfortunately the messages don't receive a score for failing.


3
kevind Replied
More spam today from this IP: 103.129.199.34
It has a Reverse DNS/PTR = clcconstruction.emory.edu (good)
But the Forward Confirm uses a CNAME (not good). 

MultiRBL shows FCrDNS Failed as no A or AAAA records:

Can we fix SmarterMail's FCrDNS test so it works like MultiRBL? This would help us fight spam. Thanks.
3
Kyle Kerst Replied
Employee Post
Thanks for providing additional details on this Kevind. We have a task to do some deeper testing on this over the next few days now that we have release testing completed so with any luck I'll have some news for you later this week.
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
3
kevind Replied
Great, thanks for update. A fix for this will help everyone reduce spam.

Coincidentally, receiving messages today on how to cut my electric bill by 90% thanks to Elon Musk!  These messages fail FCrDNS but are not getting scored.
0
Douglas Foster Replied
I still don't understand how the use of names introduces any risk.  The rule from 20 years ago seems likely to have been a managing DNS workload concern, not a security concern.

Reply to Thread