From: Craig Skinner (craig.skinnerkepax.co.uk)
Date: Mon Oct 02 2006 - 06:33:37 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Sep 30, 2006 at 12:58:53PM -0400, Jorey Bump wrote:
>
> On Fri, September 29, 2006 4:04 pm, Craig Skinner wrote:
>
> > So then if you have a dummy primary mx, why not use the same technique
> > on the lowest priority mx box? From your great web page, 46% of spam
> > gets sent to the lowest MX, and 28% goes only to the highest, so that's
> > 3/4 of all spam that can be dispensed with. eg:
> >
> > $ORIGIN example.com.
> >
> > MX 5 mx1
> > MX 10 mx2
> > MX 15 mx1
> >
> > mx1 A 192.168.1.3
> > mx2 A 192.168.1.4
>
> The question is if the tertiary MX is really blocking spam you would have
> received otherwise.

Previously I ran just a legit primary MX (with greylisting), and a dud
secondary that had a postfix instance listening that 451 rejected mail.

Due to greylisting, new legit mail would try the dud secondary MX, then
successfully try later on the primary.

However, about 1/4 of new smtp connections were only to the dud
secondary MX, & hence is spam, so to my mind, some malware reverse sorts
the MX's and only tries the least preferable MXer.

Therefore, with running a dud (TCP reset) primary MX, you have killed
off the fire-&-forget--primary-MX spam, but you now have to cope with
the lower volume of fire-&-forget--lowest-MX.

So, I thought that by combining the 2 ideas, I could get rid of both
sorts of fire-&-forget spam as the legit MXer nestles inbetween 2 dud MX
entries. By eye balling my server, this seems to be working well.

> IOW, if you add another low priority MX, you'll
> attract more messages, 100% of which are spam, all of which you block.

There are lots of different sorts of malware, and this could well be
true in some cases, ie, malware counting the number of MXers in a
domain, and only spamming ones that have more than X number of MXers.

> This causes the percentage of blocked spam to increase, but would you ever
> have gotten it without the extra decoy? This is hard to answer without
> knowing for sure if spammers are explicitly targeting only the lowest
> priority MX, and not all MX hosts (I'm apt to believe the latter is more
> the norm).

Dunno, this could be established by running nolisting, then hi-lo
listing on a busy domain for some period of time and comparaing stats.

> I'm not sure that adding MX hosts spreads the spam thinner,
> since there is no technical restriction to cause this.

Well there sort of is, you've proved it, and this forms the basis of
your nolisting. Also, malware often does not follow conventional
technical restrictions, hence the fire & forget brigade.

--
Craig Skinner | http://www.kepax.co.uk | wonkey-donkeykepax.co.uk

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]