[Top] [All Lists]

Re: current usage of AAAA implicit MX?

2008-04-08 09:57:56

Douglas Otis wrote:

Standardizing on AAAA fallback when MX resource record do not exist will require those using IPv6-only hostnames to publish bogus MX resource records as a means to avoid undesired traffic SMTP now generates. Standardization on AAAA fallback is likely to attract this undesired traffic and further abuse of SMTP. The undesired traffic can be substantial, depending upon the nature of the spoofed email, where creating bogus MX resource records in response should not be seen as beneficial. This effort will increase the DNS zone sizes. Instances of IPv6 only SMTP lacking MX records and receiving public SMTP traffic is sure to represent a small minority of the number of hostnames in IPv6 address space.

Hi Doug,


Given a MX mandate for security purposes, I have the following questions:

(1) WHERE is the MX mandate best apply?

 (A) 2821 Return Path
 (B) 2822 Reply-To:
 (C) 2822 From:
 (D) 2822 Sender:
 (E) Other

2) WHEN is the MX best utilized?

 (A) Before the PAYLOAD is transmitted?
 (B) After the PAYLOAD is transmitted but not accepted yet. (DATA)
 (C) After the PAYLOAD is accepted with a 250 response
 (D) Only when NECESSARY

Of course, if your answer to 1.A, then it best utilized at 2.A.

But I am afraid you and others are going to have a vastly different views about where MX is used and when it is applied. Regardless of WHERE, most will have no real choice when it can be applied. For many, 2.C is their only option. In fact, I think we might find many here say 2.D is the really the only choice since MX is only important come response time.

What this means is that MANY of the concerns regarding IMPLICIT MX and bounce attacks can be resolved or drastically minimized by mandating a 2.A or 2.B SMTP level design.

Of course, that is not practical.


Hector Santos, CTO