none
Reverse DNS

    Question

  • Hi

    I have an exchange server 2003  we are hosting several different domains on it

    We are getting too much spam.

    Im thinking about reverse DNS, the server is on 1 public IP address.

    Can i create a reverse DNS for all the domains on 1 IP address  or do i make 1 PTR with dns address of the server  mail.myserver.com

    all the domains point to mail.myserver.com in their own MX records.

    Also I am trying to judge how much genuine mail i will loose if it cant be reversed DNS'd

    any guidence / help would be most welcome

    thanks in advance

     

     

    Saturday, November 05, 2011 6:14 PM

Answers

  • On Sat, 5 Nov 2011 18:14:01 +0000, Nick Price wrote:
     
    >
    >
    >Hi
    >
    >I have an exchange server 2003 we are hosting several different domains on it
    >
    >We are getting too much spam.
    >
    >Im thinking about reverse DNS, the server is on 1 public IP address.
    >
    >Can i create a reverse DNS for all the domains on 1 IP address or do i make 1 PTR with dns address of the server mail.myserver.com
     
    The PTR you create should have a name that matches the HELO\EHLO data
    your server sends.
     
    >all the domains point to mail.myserver.com in their own MX records.
     
    >Also I am trying to judge how much genuine mail i will loose if it cant be reversed DNS'd
     
    You can't "judge" it, you can only measure it. Your server can produce
    SMTP protocol logs. You know the IP addresses that send you e-mail.
    Write (or have written) a small program to read the log files and
    query DNS for PTR records. For the IP addresses that don't have PTR
    records, record the MAIL FROM addresses. When you finish processing
    the log files you'll know if your idea is a good one or not.
     
    >any guidence / help would be most welcome
     
    What do you mean by "reverse DNS'd"? I don't remember anything in
    Exchange 2003 that did anything with PTR records.
     
    Requiring other server to have a PTR record isn't a bad idea (it's not
    always a great idea, either), but refusing to accept connections if
    the name in the PTR doesn't match then name in the HELO\EHLO is.
     
    I think you'd fare better with a good spam filter than just by using a
    single test.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, November 05, 2011 8:29 PM
  • Hi

    I have an exchange server 2003  we are hosting several different domains on it

    We are getting too much spam.

    A common issue as of today; I think you should start by ensuring your Windows 2003 IMF filter is correctly installed and configured; that one will give you a good hand to reduce the amount of spam hitting your server mailboxes

    Im thinking about reverse DNS, the server is on 1 public IP address.

    A reverse DNS entry (that is a PTR record) for your mailserver IP will help you improving your delivery and is recommended, but won't help you reducing the amount of incoming spam

    Can i create a reverse DNS for all the domains on 1 IP address  or do i make 1 PTR with dns address of the server  mail.myserver.com

    all the domains point to mail.myserver.com in their own MX records.

    Also I am trying to judge how much genuine mail i will loose if it cant be reversed DNS'd

    any guidence / help would be most welcome

    You'll only need a single PTR for your mailserver, the PTR should match the "HELO string" used by your mailserver when delivering email and it should also match the name used in its A record; then, in the other domains, just specify the "main" server name as the MX

    Then, willing to help reducing "spoofed" incoming emails, you may also want to create an SPF/SenderID record; in such a case you may want to use this wizard to create the SPF record for your primary domain and then use an SPF containing "v=spf1 include:master.domain -all" (where "master.domain" is the name of your "primary" domain) for all the other domains hosted on the mailserver

    Just to make an example; let's say that your "primary" domain is "example.com", that the mailserver sits at IP 192.0.2.10 and that the mailserver name is "mail.example.com"; in such a case, the DNS zone for the "example.com" domain may contain the following

    mail IN A     192.0.2.10
    @    IN MX 10 mail.example.com.
    @    IN TXT   "v=spf1 mx -all"
    
    


    then, by the way, on the DNS which is authoritative for your network block you may want to create a reverse (PTR) entry like the following

    10.2.0.192.in-addr.arpa. IN PTR mail.example.com.
    

    done that, in the DNS zones for all the other domains hosted on your mailserver, you'll have the following records

    @    IN MX 10 mail.example.com.
    @    IN TXT   "v=spf1 include:example.com -all"
    
    

    the above tells that the MX for whatever hosted domain is "mail.example.com" and that the SPF/Senderid policy must be looked up on the "example.com" domain (this way, in case you'll need to change the SPF policy, you'll just need to change the example.com one and the other domains will automatically use it)

    Then, by the way, to deal with incoming spam, you'll have to install the Exchange 2003 IMF filter and to properly configure it to filter junk emails; notice that it may also be a good idea enabling the Exchange 2003 recipient filtering and tarpitting feature as described here since this will help rejecting messages targeting non-existent mailboxes and avoiding to generate "backscatter"

    Then... ok, if you'll need further guidance in configuring the various IMF settings ... just ask :D

    HTH

     

    Monday, November 07, 2011 8:19 AM

All replies

  • On Sat, 5 Nov 2011 18:14:01 +0000, Nick Price wrote:
     
    >
    >
    >Hi
    >
    >I have an exchange server 2003 we are hosting several different domains on it
    >
    >We are getting too much spam.
    >
    >Im thinking about reverse DNS, the server is on 1 public IP address.
    >
    >Can i create a reverse DNS for all the domains on 1 IP address or do i make 1 PTR with dns address of the server mail.myserver.com
     
    The PTR you create should have a name that matches the HELO\EHLO data
    your server sends.
     
    >all the domains point to mail.myserver.com in their own MX records.
     
    >Also I am trying to judge how much genuine mail i will loose if it cant be reversed DNS'd
     
    You can't "judge" it, you can only measure it. Your server can produce
    SMTP protocol logs. You know the IP addresses that send you e-mail.
    Write (or have written) a small program to read the log files and
    query DNS for PTR records. For the IP addresses that don't have PTR
    records, record the MAIL FROM addresses. When you finish processing
    the log files you'll know if your idea is a good one or not.
     
    >any guidence / help would be most welcome
     
    What do you mean by "reverse DNS'd"? I don't remember anything in
    Exchange 2003 that did anything with PTR records.
     
    Requiring other server to have a PTR record isn't a bad idea (it's not
    always a great idea, either), but refusing to accept connections if
    the name in the PTR doesn't match then name in the HELO\EHLO is.
     
    I think you'd fare better with a good spam filter than just by using a
    single test.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, November 05, 2011 8:29 PM
  • Hi

    I have an exchange server 2003  we are hosting several different domains on it

    We are getting too much spam.

    A common issue as of today; I think you should start by ensuring your Windows 2003 IMF filter is correctly installed and configured; that one will give you a good hand to reduce the amount of spam hitting your server mailboxes

    Im thinking about reverse DNS, the server is on 1 public IP address.

    A reverse DNS entry (that is a PTR record) for your mailserver IP will help you improving your delivery and is recommended, but won't help you reducing the amount of incoming spam

    Can i create a reverse DNS for all the domains on 1 IP address  or do i make 1 PTR with dns address of the server  mail.myserver.com

    all the domains point to mail.myserver.com in their own MX records.

    Also I am trying to judge how much genuine mail i will loose if it cant be reversed DNS'd

    any guidence / help would be most welcome

    You'll only need a single PTR for your mailserver, the PTR should match the "HELO string" used by your mailserver when delivering email and it should also match the name used in its A record; then, in the other domains, just specify the "main" server name as the MX

    Then, willing to help reducing "spoofed" incoming emails, you may also want to create an SPF/SenderID record; in such a case you may want to use this wizard to create the SPF record for your primary domain and then use an SPF containing "v=spf1 include:master.domain -all" (where "master.domain" is the name of your "primary" domain) for all the other domains hosted on the mailserver

    Just to make an example; let's say that your "primary" domain is "example.com", that the mailserver sits at IP 192.0.2.10 and that the mailserver name is "mail.example.com"; in such a case, the DNS zone for the "example.com" domain may contain the following

    mail IN A     192.0.2.10
    @    IN MX 10 mail.example.com.
    @    IN TXT   "v=spf1 mx -all"
    
    


    then, by the way, on the DNS which is authoritative for your network block you may want to create a reverse (PTR) entry like the following

    10.2.0.192.in-addr.arpa. IN PTR mail.example.com.
    

    done that, in the DNS zones for all the other domains hosted on your mailserver, you'll have the following records

    @    IN MX 10 mail.example.com.
    @    IN TXT   "v=spf1 include:example.com -all"
    
    

    the above tells that the MX for whatever hosted domain is "mail.example.com" and that the SPF/Senderid policy must be looked up on the "example.com" domain (this way, in case you'll need to change the SPF policy, you'll just need to change the example.com one and the other domains will automatically use it)

    Then, by the way, to deal with incoming spam, you'll have to install the Exchange 2003 IMF filter and to properly configure it to filter junk emails; notice that it may also be a good idea enabling the Exchange 2003 recipient filtering and tarpitting feature as described here since this will help rejecting messages targeting non-existent mailboxes and avoiding to generate "backscatter"

    Then... ok, if you'll need further guidance in configuring the various IMF settings ... just ask :D

    HTH

     

    Monday, November 07, 2011 8:19 AM
  • Just in case; if you'll decide to go that way (recommended); start by ensuring to have a couple of "alias" mailboxes for the main domain (and, if possible for all the others) that is, "postmaster" and "abuse"; set both to point to your mailbox (or in any case to a "monitored" mailbox) and configure them to skip any spam checks (leave AV scanning on :D) this is a need since those mailboxes are the "predefined" ones used in case your mailserver is abused or in case it's incorrectly rejecting some messages "as spam"; in either case, you'll WANT to see abuse reports or "false positive" messages, and possibly answer them as soon as possible :)

    That said, a good startup with Exchange 2003 IMF may be the following:

    Set SCL levels to (e.g.) 5 and 7 (as a starter); this means that messages with an SCL rating lower than 5 will be considered ham, message with an SCL rating above 7 will be considered spam (and rejected) and message falling between those scores will be accepted but moved to the "junk mail" folder so that the end user will be able to decide how to categorize them

    Done that; Enable Recipient Filtering and tarpitting (see previous link)

    Enable senderID (aka SPF) checking

    Configure the DNS Blacklist providers by adding the following ones

    zen.spamhaus.org
    bb.barracudacentral.org
    ix.dnsbl.manitu.net
    bl.spamcop.net
    combined.njabl.org

    and, set the reject message for each DNSBL to the following

    Message refused: your IP %0 is listed by %2 (see http://multirbl.valli.org/lookup/%0.html for details).

    the above will allow the sender to have some infos about the reason for the reject since the IMF will replace %0 will the sending IP and %2 with the DNSBL name (e.g. zen.spamhaus.org) also, the reject message will carry a link which will allow the sender to check its IP against a number of blacklists and possibly solve the issue

    At this point, your IMF should be working and your users mailboxes will probably be cleaner, now... take the time to check out the various docs about the IMF settings so that you'll be able to fine tune IMF to fit your needs; here are some pointers

    http://technet.microsoft.com/en-us/library/cc875815.aspx

    http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html

    notice that if you'll follow the above settings, to better tune your filter, you may want to adjust the SCL settings to avoid "false positives" :)

    HTH

     


    • Edited by ObiWan Tuesday, November 08, 2011 4:52 PM
    Tuesday, November 08, 2011 4:50 PM