New: MX Logging

New: MX Logging

We’ve recently updated Rawstream Network Security to collect and report DNS MX requests. This matters because it can help organisations detect potential security breaches.

Mail Exchanges

DNS is the internet’s telephone directory. When you to browse to example.com, the browser looks up “example.com” against DNS servers, and the DNS server returns the address of example.com in a format that a browser can use to display the requested page. These requests are called A record DNS queries because the browser requests a page’s address.

However, there are different types of resources that are available over the internet. A highly requested resource is email. To send an email, your mail server needs to know the address of the server handling the receipient’s email. These DNS queries are MX (“mail exchanger”) requests.

In a most organisations, staff use the organisation’s mail service to send out email. There are good reasons for centralising email handling:
1. enforcing standards like templates and attachment sizes
2. archiving email for complaince purposes
3. scanning email for security threats

There are very few good reasons why email should not be sent via the central mail server. Indeed, MX requests from individual machines is highly unusual.

You’ve Sent Mail

Individual machines trying to contact MX servers directly usually indicates a security issue. Malware on the machine may be trying to send phishing email to external victims, sending email spam, or acting in concert with other infected machines as part of a DDOS attack.

The new Rawstream reporting helps identify suspicious MX DNS requests. The report shows the looked up domains, the number of lookups for that domain, the domain’s category, and the country where the domain is hosted.

MX Logs Report

MX Logs Report

The above screenshot shows a sample report for a Google Suite hosted mail server (google.co.uk) which receives the vast bulk of lookups, as well as two potentially suspicious lookups. One is for Hotmail, the second is for a China hosted mail server. Depending on your organisation’s communication patterns, these lookups may warrant further investigation.

About Rawstream Network Security

Rawstream Network Security is the fastest DNS filtering in the cloud, with intuitive user interface, real-time reporting and zero log retention limits. You can sign up for a free trial, or learn more here.

Related posts

Rawstream's new Threat Huntr™: now you can hunt cyber threats rather than wait for an attack

Be Proactive with Cyber Security Rawstream’s new Threat Huntr™ proactively searches for unknown, active threats in an environment It is the new gold standard for endpoint security. Malware or attackers can be lurking in your network quietly siphoning off data, or working their way across the...

Wildcard Support for Cloud DNS Filtering

From today, Rawstream Network Security adds the capability to allow or block domains based on wildcards. Wildcard support is being rolled out across all our DNS IPs right now and will be complete across the next few hours. The entries will match on the full domain queried, including...

Should Coffee Shops Filter Their Patrons’ Wifi?

Should Coffee Shops Filter Their Patrons' Wifi?

How establishments can protect their brand and block harmful internet content from being accessed through guest WiFi Coffee shops, kid-friendly restaurants and shopping malls attract lots of young families. With hundreds of kids and teenagers all connecting to the establishment’s guest wifi...