A 'null MX' is also useful for blocking forged senders from non-email domains

May 21, 2017

When I first considered the use of a 'null MX', I was only thinking of it as a way of blocking email to hosts that don't get email (I had a special case that made some dedicated spammer behavior unusually irritating). However, there is another useful case, and that's domains that don't send email but do get forged on spam.

A while back I wrote about a persistent phish spammer that consistently sends email using the forged sender email address of 'codewizard@approject.com'. As it happens approject.com seems to be a parked domain, with a 'this domain may be for sale' website and nothing else visible. If this is true, the owner of approject.com could cut off much of this forgery by publishing a suitable 'null MX' record in their DNS (especially now that it's an official standard, as I found out when doing research for this entry). Other owners of other parked domains could similarly cut off spam being forged in their names, and frankly there's a lot of it; spammers seem to love forging email as from domains like 'confirmation.com', 'verification.net', 'system.com', and so on.

(Some of those are not parked domains, mind you.)

Even without the new(-ish) null MX RFC, you can sort of get there today for some sites through a suitable DMARC policy and SPF records, but I think that probably requires more DNS fiddling than a simple 'MX .' entry. Plus, it only applies to people who actually use DMARC or SPF to reject message, which is not that many people right now (partly because turning on DMARC or especially SPF rejection has various often unpleasant side effects). The good news is that using DMARC probably will insure that GMail and a few other big places will reject the spammer email that is claiming to be from you.

(The more DNS fiddling is required, especially the more fiddling that must contain the domain name or the like, the less likely it is that owners of parked domains and similar things will go to the bother. One attraction of 'MX .' is that it's completely generic.)

I don't know why this use for a null MX standard didn't occur to me back then. Probably I was too close to my specific little issue and not thinking generally. Spammers have certainly been abusing generic-word domains for advance fee fraud and phish spams for years.


Comments on this page:

By gubiq at 2017-05-21 05:51:33:

I somehow don't get how a null-MX would stop spam that pretends to be from that domain. Can you please explain, as I could use this for my internal hostnames.

By cks at 2017-05-21 07:30:12:

Almost all receiving mail systems validate the envelope sender address during the SMTP session and refuse to accept the incoming email if the sender address doesn't exist or is otherwise invalid. With a null MX DNS entry, these systems know that this domain isn't valid as an email address, even thought the domain may have an A record and so normally would qualify.

This has two limitations. First, it doesn't stop forgery of the domain in the From: mail header, because that's completely separate from the envelope sender and is not normally even evaluated by the receiving mail system. To perhaps stop that, you need a DMARC policy, and that only works for receiving hosts that check DMARC (but that includes big providers like GMail). Second, given that spammers do keep trying to use envelope senders that don't validate, there are presumably still some number of systems out there that (still) don't validate the envelope sender address. A null MX entry will do nothing to stop those systems from accepting forged email from your domain, but then nothing will.

(Also, this only applies at all for DNS names that are visible to the Internet. Purely internal names that are visible only in your internal DNS but that don't resolve from the Internet are already invalid for email as far as machines on the Internet are concerned. A null MX may stop them from sending internal email, though, if your internal mail system still validates internal envelope sender addresses. I can imagine situations where this would be useful.)

Written on 21 May 2017.
« We now have an officially standardized 'null MX' record
We use jQuery and I've stopped feeling ashamed about it »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 21 00:28:11 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.