Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Contact Us
Login

Fusion Platform Login

What is the Trustwave Fusion Platform?

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Contact Us
Login

login

Fusion Platform Login

What is the Trustwave Fusion Platform?

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services

BY INDUSTRY

BY REGULATION

BY TOPIC

Microsoft Security

Unlock the full power of Microsoft Security

Offensive Security

Solutions to maximize your security ROI

Rapidly Secure New Environments

Security for rapid response situations

Securing the Cloud

Safely navigate and stay protected

Securing the IoT Landscape

Test, monitor and secure network objects

About Us

We reduce cyber risk and fortify organizations

Awards and Accolades

Recognition by analysts and media outlets

Trustwave SpiderLabs Team

Global researchers, ethical hackers, and responders

Trustwave Fusion Security Operations Platform

Unprecedented security visibility and control

Trustwave Security Colony

Access to cybersecurity threat protection resources

Technology Alliance Partners

Key alliances who align and support our ecosystem of security offerings

Trustwave PartnerOne Program

Join forces with Trustwave to protect against the most advance cybersecurity threats

BLOGS

UPCOMING

MEDIA & ASSETS

NOTICES

HELP

Trustwave Knowledge Base

KB Home Search Latest Additions Most Popular

Knowledgebase

Home » Knowledgebase » Trustwave MailMarshal (SEG) » HOWTO: How do I validate connecting hosts in the DNS?

HOWTO: How do I validate connecting hosts in the DNS?

Show/Hide Article Tools

This article applies to:

Trustwave MailMarshal (SEG)

Question:

How do I validate connecting hosts in the DNS?

Procedure:

Enabling the check box, 'Validate Connecting Hosts in the DNS' (in the Receiver | Host Validation tab of Array Properties) will set the MailMarshal Receiver service to do a reverse DNS lookup, or Pointer (PTR) record lookup, for all incoming messages.

A PTR record shows the domain names associated with an IP address. So, when the Receiver gets an IP address, it will do a PTR record lookup to see what information is returned. The intention is to check for potential spam messages.

The options in MailMarshal are:

Accept unknown hosts (used for logging purposes only)
The MailMarshal Receiver will do a PTR record lookup and if there is no PTR record, or if the domain name supplied in the message does not match the domain name indicated by the PTR record, then the event will be logged in the MailMarshal Receiver text log.

Note: The message will still be accepted. This option is useful to diagnose a potential spam problem.
Host must have PTR record
The MailMarshal Receiver will block any message where the IP address does not have a valid PTR record. If there is no record, MailMarshal logs this event in the Windows Application Event Log and terminates the connection with the SMTP response: 554 No SMTP service here

Note: The domains do not have to match; the only requirement is that there is a PTR record.
PTR record must match the HELO connection string
The MailMarshal Receiver will block a message where any domains listed in the PTR record do not match that supplied in the HELO string provided by the sending server. If the record does not match, MailMarshal logs this event in the NT Event Log and terminates the connection with the SMTP response: 554 No SMTP service here

Note: This option should be used with caution - it is very likely that you will block valid e-mail from domains that do not have their PTR records set up correctly.

Notes:

These features, which provide varying degree of checks, can only be used where MailMarshal can 'see' the actual IP address of the sending e-mail server. They are of no use for example where MailMarshal sits behind a firewall and only sees the IP address of that firewall.

By using these features it is possible for valid e-mail to be blocked For example some sites do not have their PTR records set up correctly. Therefore, when turning on 'Validate Connecting Hosts', it is recommended to select the first option 'Accept unknown hosts' and monitor results in the Windows Application Event Log. When you are satisfied that valid e-mail is not being blocked, then select one of the other two options.