Blocking MX query

William Herrin bill at
Tue Sep 4 12:05:06 UTC 2012

On Tue, Sep 4, 2012 at 6:07 AM, Ibrahim <ibrahim1 at> wrote:
> I've read old archive about blocking SMTP port (TCP port 25). In my current
> situation we are mobile operator and use NAT for our subscribers and we
> have few spammers, a bit difficult to track it because mostly our
> subscribers are prepaid services. If we block TCP port 25, there might be
> "good" subscribers will not be able to send email.


There are no "good" subscribers trying to send email direct to a
remote port 25 from behind a NAT. The "good" subscribers are either
using your local smart host or they're using TCP port 587 on their
remote mail server. You may safely block outbound TCP with a
destination of port 25 from behind your NAT without harming reasonable
use of your network.

> We are thinking to block MX queries on our DNS server, so only spammer that
> use their own SMTP server will got affected. All DNS queries from our
> subscribers already redirected to our DNS cache servers. But seem Bind
> don't have feature to block MX query. Any best practice to block MX query?

Best practice is: don't mess with the DNS.

I don't know if any resolver software supports what you want to do
here. If it does, I don't know what the repercussions are likely to
be. I do know that historically, altering DNS results has proven
problematic. For example, returning an A record for your search server
in place of no-host responses wreaks all manner of havoc.

I also doubt the efficacy of the method. Were this to become common
practice, a spammer could trivially evade it by using his own DNS
software or simply pumping out the address list along with
pre-resolved IP addresses to deliver the mail to. For all I know, they
already do.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list