Tuesday, April 08, 2014

Usage of higher MX records

I recently noticed something that at first seemed a bit weird.   A company had transitioned to an external email hygiene service but left their old MX record in place with a higher cost value, so their MX records looked like this (I shortened the text a bit)

company.com     MX=10     hygiene1.serviceplace.org
company.com     MX=10     hygiene2.serviceplace.org
company.com     MX=20    oldserver.company.com

 We noticed that a lot of email was still coming directly in to oldserver.company.com (their old gateway). 

  According to the RFCs, the SMTP transport is supposed to always pick the lowest MX record first and only move to a higher one if the lower ones fail.  But, we were seeing a different behavior.

  After some additional analysis, we found that only spam and malware were coming in to the MX record of 20.   After some discussion with some colleagues, I found out that spammers will intentionally do this in hopes of finding backdoors or SMTP paths in to your system will less security or message hygiene in place.

 Ideally, once you start using an external provider, you should remove your old MX records, get their IP addresses from which they send, and block everyone else's TCP port 25 at your firewall so that spammers can't find you by port scans.