MX+

Overview

What is MX+?

MX+ refers to a specific anti-spam check. "mxplus" refers to a program that implements the MX+ test as well as a few other anti-spam checks.

Why use MX+?

In the good old days of email, people could inject email from anywhere. Email servers would queue email even if it wasn't for any users on that server. Email was forwarded to the correct place automatically. It was assumed that mistakes were far more likely than abuse, and forwarding all email mistakenly delivered to the wrong address was common. Almost all relays were "open" relays, because that was considered friendly. With the advent of spam however, this was exploited by unscrupulous spammers to (amongst other bad things) mask their identity.

Using MX+ ensures that mail you receive came from an IP address that has some relation (either as an MX record as or via reverse DNS) to the sender's domain name, instead of any IP address in the world. This has the effect of denying compromised computers that have no relation to the senders domain from sending you email.

If you are a system administrator, MX+ coupled with greylisting can dramatically reduce the amount of spam your users receive. MX+ and greylisting are both practical methods that:

How does MX+ work?

MX+ checks that email comes from an IP that's appropriate for the domain. For an email to pass MX+, one of two things must be true; The email must be sent from an IP listed as the MX for the domain, or the rDNS of the IP must be a subdomain of the domain.

For example, suppose IP 192.0.34.166 sends an email it claims is from alice@example.com. The MX for example.com is 192.0.34.166, so this email would pass.

suppose IP 64.71.139.98 sends an email it claims is from alice@example.com The MX for example.com is 192.0.34.166, which does not match 64.71.139.98 so we check the rDNS for 64.71.139.98 which is ops.he.net. If the email was from alice@ops.he.net, or alice@he.net then it would be acceptable, but it's not, so this email would be rejected.

Most people either use a major provider's domain, which already sets rDNS to a subdomain of their domain for their entire IP space, or they use an all-in-one box to host their domain, in which case the MX will be also be the sending IP.

To accommodate the few who split their in and out, but don't have access to their rDNS, actual MX+ implementations may do a "fuzzy" ip match, comparing only the upper 24 bits of the addresses.

MX+ Reference Implementation

A reference implementation in C named "mxplus" is provided, and you can download the reference implementation here

Instructions on how to use the reference implementation with procmail follow below under the section "How to install and use mxplus with procmail".

There's also a perl module Mail::mxplus that you can download; http://mxplus.org/Mail-MXplus-0.02.tar.gz

mxplus Technical Description

The mxplus program performs three tests: The MX+ test, the Address Validation test, and the Virus test. MX+ test confirms that the senders IP is a valid sending IP for that domain. The Address Validation test confirms that the return address is a real email address. The Virus test checks that there are no bad attachments in the email.

MX+ check

The MX+ check tests for one of two things; Is the MX for the domain the same as the senders IP? or is the rDNS for the IP a subdomain of the domain? If either is true, the check is considered successful. In the mxplus program, it's presummed that the from is on the first line of the email being checked, and that line starts with "From ". The IP is pulled from the first "Received:" header, and it's presummed that it's in a comment and surrounded by square braces. For example; From alice@example.com Fri Feb 2 03:52:12 1996 Received: from example.com (www.example.com [192.0.34.166]) It's permissible to have a "Return-Path:" header between the two, but if present, it will be ignored. The MX for the domain is checked first. If any of the IPs listed as an MX are in the same /24, then it's a pass. If none match, then the rDNS is for the IP is fetched, and a case insensitive string compare is done against the end of the rDNS with the domain. So an rDNS of 10.10.10.10.rdns.example.com would match the domain example.com, rdns.example.com, and 10.rdns.example.com. If there is more than one rDNS entry, any rDNS entry that's a subdomain is sufficient for the test to pass.

sender validation check

The sender validation check works in the following manner. In the mxplus program, it's presummed that the from is on the first line of the email being checked, and that line starts with "From ". The program then connects on the SMTP port to one of the mail servers listed in the MX record of the senders domain. Upon connection HELO, MAIL FROM, RCPT TO are sent. If any of the responses are permanent failure, i.e. a 5xx err code, then the address is considered bad and the check fails, otherwise it is considered good and the check succeeds.

Virus check

Mxplus reads the body of the email message and looking for an attachment with a "filename=" in it. If the filename ends with any of these extensions; .asd .bat .chm .cmd .com .dll .exe .hlp .hta .js .jse .lnk .ocx .pif .scr .shb .shm .shs .vb .vbe .vbs .vbx .vdx .wsf .wsh then the message is considered a virus, and the check fails.

How to install and use mxplus with procmail

procmail is a common mail filter used on Unix systems.

First, download a copy of the source here

To compile it, issue the command

gcc mxplus.c -o mxplus
on some systems, you may need to include the resolver library thus;
gcc mxplus.c -o mxplus -lresolv

edit .procmailrc

add the following lines to your .procmailrc file;

:0fw |mxplus :0e { EXITCODE=$? :0 /dev/null }
Check with your system administrator before using mxplus with procmail, they may already make it available system wide. For example, if you are a Hurricane Electric web hosting user, MX+ is a standard antispam option you can turn on.

Troubleshooting mxplus with procmail
If you have trouble with getting mxplus to work with .procmail, perform the following checks: verify that procmail is turned on an running, turn on procmail logging and make sure that activity is being written to your log file, make sure you can still receive normal mail, telnet to your servers SMTP port (port 25) from a remote machine and send a test mail with an obviously bogus sender then check the logs to see what procmail did with it.

How to install and use mxplus as a milter

We'd like to provide instructions on how to install mxplus as a milter if somebody wants to look into it. (A milter is a mail filter used with sendmail.)

Suggestions

Suggestions may be sent to Scott Nelson.
Research and Development by Hurricane Electric