Cisco Cisco Email Security Appliance X1050 Troubleshooting Guide
How does the ESA handle bounce messages sent
to 127.0.0.1?
to 127.0.0.1?
Document ID: 117911
Contributed by Nasir Shakour and Enrico Werner, Cisco TAC
Engineers.
Jul 10, 2014
Engineers.
Jul 10, 2014
Contents
Question:
How does the ESA handle bounce messages sent to 127.0.0.1?
When spammers send email, they occasionally originate the email from domain names that will resolve to one
of the reserved IP loopback addresses (typically 127.0.0.1, although any address in the 127.0.0.0/8 block is
reserved for loopback purposes). These addresses are also occasionally encountered in a mass−mailing worm,
when the forged source domain name was never designed to receive mail and thus has an illegal IP address to
discourage email.
of the reserved IP loopback addresses (typically 127.0.0.1, although any address in the 127.0.0.0/8 block is
reserved for loopback purposes). These addresses are also occasionally encountered in a mass−mailing worm,
when the forged source domain name was never designed to receive mail and thus has an illegal IP address to
discourage email.
The issue with such domain names resolving to loopback addresses is that an unsuspecting MTA might
attempt to connect to the address to deliver the message. Since the loopback address connects back to the
same MTA, a loop can be generated. Depending on how the headers are formed in a bounced message, the
loop can be particularly costly, eventually getting large enough to consume all system resources.
attempt to connect to the address to deliver the message. Since the loopback address connects back to the
same MTA, a loop can be generated. Depending on how the headers are formed in a bounced message, the
loop can be particularly costly, eventually getting large enough to consume all system resources.
The ESA avoids this pathological syndrome. When a DNS lookup results in a IP address in the loopback
range (127.0.0.0/8), the AsyncOS SMTP client will not attempt to deliver such a message. You can observe
this behavior by looking at the mail_logs log. The following log excerpt shows a message being sent with a
return address domain name that resolves to the 127.0.0.1 IP address. When the message cannot be delivered,
AsyncOS creates a bounce message, but does not try and deliver the bounced message because the DNS is
pointing to the loopback address.
range (127.0.0.0/8), the AsyncOS SMTP client will not attempt to deliver such a message. You can observe
this behavior by looking at the mail_logs log. The following log excerpt shows a message being sent with a
return address domain name that resolves to the 127.0.0.1 IP address. When the message cannot be delivered,
AsyncOS creates a bounce message, but does not try and deliver the bounced message because the DNS is
pointing to the loopback address.
Thu Dec 9 22:06:03 2004 Info: Start MID 524 ICID 322
Thu Dec 9 22:06:03 2004 Info: MID 524 ICID 322 From:
<loopme@loopback.example.com>
Thu Dec 9 22:06:08 2004 Info: MID 524 ICID 322 RID 0 To:
<illegal99999@example.com>
Thu Dec 9 22:06:09 2004 Info: MID 524 Message−ID
'<3l57rh$gc@mail.example.com>'
Thu Dec 9 22:06:10 2004 Info: MID 524 ready 9 bytes from
<loopme@loopback.example.com>
Thu Dec 9 22:06:10 2004 Info: MID 524 matched all recipients
for per−recipientpolicy DEFAULT in the inbound table
Thu Dec 9 22:06:10 2004 Info: MID 524 Brightmail negative
Thu Dec 9 22:06:10 2004 Info: MID 524 antivirus negative
Thu Dec 9 22:06:10 2004 Info: MID 524 queued for delivery
Thu Dec 9 22:06:10 2004 Info: New SMTP DCID 160 interface
192.35.195.101 address 192.245.12.7
Thu Dec 9 22:06:10 2004 Info: Delivery start DCID 160 MID 524