Reverse DNS

All Replies

• Saturday, November 05, 2011 8:29 PM

   

   
  

  0
  On Sat, 5 Nov 2011 18:14:01 +0000, Nick Price wrote:

   

  >

  >

  >Hi

  >

  >I have an exchange server 2003 we are hosting several different domains on it

  >

  >We are getting too much spam.

  >

  >Im thinking about reverse DNS, the server is on 1 public IP address.

  >

  >Can i create a reverse DNS for all the domains on 1 IP address or do i make 1 PTR with dns address of the server mail.myserver.com

   

  The PTR you create should have a name that matches the HELO\EHLO data

  your server sends.

   

  >all the domains point to mail.myserver.com in their own MX records.

   

  >Also I am trying to judge how much genuine mail i will loose if it cant be reversed DNS'd

   

  You can't "judge" it, you can only measure it. Your server can produce

  SMTP protocol logs. You know the IP addresses that send you e-mail.

  Write (or have written) a small program to read the log files and

  query DNS for PTR records. For the IP addresses that don't have PTR

  records, record the MAIL FROM addresses. When you finish processing

  the log files you'll know if your idea is a good one or not.

   

  >any guidence / help would be most welcome

   

  What do you mean by "reverse DNS'd"? I don't remember anything in

  Exchange 2003 that did anything with PTR records.

   

  Requiring other server to have a PTR record isn't a bad idea (it's not

  always a great idea, either), but refusing to accept connections if

  the name in the PTR doesn't match then name in the HELO\EHLO is.

   

  I think you'd fare better with a good spam filter than just by using a

  single test.

   

  ---

  Rich Matheisen

  MCSE+I, Exchange MVP

   

  ---

  --- Rich Matheisen MCSE+I, Exchange MVP

  • Marked As Answer by Evan LiuModerator Sunday, November 13, 2011 5:42 AM
  •  
  • Reply
  • Quote

   
• Monday, November 07, 2011 8:19 AM

   

   
  

  0

  Hi

  I have an exchange server 2003  we are hosting several different domains on it

  We are getting too much spam.

  A common issue as of today; I think you should start by ensuring your Windows 2003 IMF filter is correctly installed and configured; that one will give you a good hand to reduce the amount of spam hitting your server mailboxes
  

  Im thinking about reverse DNS, the server is on 1 public IP address.

  A reverse DNS entry (that is a PTR record) for your mailserver IP will help you improving your delivery and is recommended, but won't help you reducing the amount of incoming spam
  

  Can i create a reverse DNS for all the domains on 1 IP address  or do i make 1 PTR with dns address of the server  mail.myserver.com

  all the domains point to mail.myserver.com in their own MX records.

  Also I am trying to judge how much genuine mail i will loose if it cant be reversed DNS'd

  any guidence / help would be most welcome

  You'll only need a single PTR for your mailserver, the PTR should match the "HELO string" used by your mailserver when delivering email and it should also match the name used in its A record; then, in the other domains, just specify the "main" server name as the MX

  Then, willing to help reducing "spoofed" incoming emails, you may also want to create an SPF/SenderID record; in such a case you may want to use this wizard to create the SPF record for your primary domain and then use an SPF containing "v=spf1 include:master.domain -all" (where "master.domain" is the name of your "primary" domain) for all the other domains hosted on the mailserver

  Just to make an example; let's say that your "primary" domain is "example.com", that the mailserver sits at IP 192.0.2.10 and that the mailserver name is "mail.example.com"; in such a case, the DNS zone for the "example.com" domain may contain the following

  mail IN A     192.0.2.10
  @    IN MX 10 mail.example.com.
  @    IN TXT   "v=spf1 mx -all"
  
  

  
  then, by the way, on the DNS which is authoritative for your network block you may want to create a reverse (PTR) entry like the following

  10.2.0.192.in-addr.arpa. IN PTR mail.example.com.
  

  done that, in the DNS zones for all the other domains hosted on your mailserver, you'll have the following records

  @    IN MX 10 mail.example.com.
  @    IN TXT   "v=spf1 include:example.com -all"
  
  

  the above tells that the MX for whatever hosted domain is "mail.example.com" and that the SPF/Senderid policy must be looked up on the "example.com" domain (this way, in case you'll need to change the SPF policy, you'll just need to change the example.com one and the other domains will automatically use it)

  Then, by the way, to deal with incoming spam, you'll have to install the Exchange 2003 IMF filter and to properly configure it to filter junk emails; notice that it may also be a good idea enabling the Exchange 2003 recipient filtering and tarpitting feature as described here since this will help rejecting messages targeting non-existent mailboxes and avoiding to generate "backscatter"

  Then... ok, if you'll need further guidance in configuring the various IMF settings ... just ask :D

  HTH

   

  • Marked As Answer by Evan LiuModerator Sunday, November 13, 2011 5:42 AM
  •  
  • Reply
  • Quote

   
• Tuesday, November 08, 2011 4:50 PM

   

   
  

  0

  Just in case; if you'll decide to go that way (recommended); start by ensuring to have a couple of "alias" mailboxes for the main domain (and, if possible for all the others) that is, "postmaster" and "abuse"; set both to point to your mailbox (or in any case to a "monitored" mailbox) and configure them to skip any spam checks (leave AV scanning on :D) this is a need since those mailboxes are the "predefined" ones used in case your mailserver is abused or in case it's incorrectly rejecting some messages "as spam"; in either case, you'll WANT to see abuse reports or "false positive" messages, and possibly answer them as soon as possible :)

  That said, a good startup with Exchange 2003 IMF may be the following:

  Set SCL levels to (e.g.) 5 and 7 (as a starter); this means that messages with an SCL rating lower than 5 will be considered ham, message with an SCL rating above 7 will be considered spam (and rejected) and message falling between those scores will be accepted but moved to the "junk mail" folder so that the end user will be able to decide how to categorize them

  Done that; Enable Recipient Filtering and tarpitting (see previous link)

  Enable senderID (aka SPF) checking

  Configure the DNS Blacklist providers by adding the following ones

  zen.spamhaus.org
  bb.barracudacentral.org
  ix.dnsbl.manitu.net
  bl.spamcop.net
  combined.njabl.org

  and, set the reject message for each DNSBL to the following

  Message refused: your IP %0 is listed by %2 (see http://multirbl.valli.org/lookup/%0.html for details).

  the above will allow the sender to have some infos about the reason for the reject since the IMF will replace %0 will the sending IP and %2 with the DNSBL name (e.g. zen.spamhaus.org) also, the reject message will carry a link which will allow the sender to check its IP against a number of blacklists and possibly solve the issue

  At this point, your IMF should be working and your users mailboxes will probably be cleaner, now... take the time to check out the various docs about the IMF settings so that you'll be able to fine tune IMF to fit your needs; here are some pointers

  http://technet.microsoft.com/en-us/library/cc875815.aspx

  http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html

  notice that if you'll follow the above settings, to better tune your filter, you may want to adjust the SCL settings to avoid "false positives" :)

  HTH

   

  
  

  • Edited by ObiWan Tuesday, November 08, 2011 4:52 PM
  •  
  • Reply
  • Quote