NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-11

Re: Possible MX Lookup/Ordering Issue

From: Jorey Bump (listjoreybump.com)
Date: Thu Nov 01 2007 - 10:01:32 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

gordanbobich.net wrote, at 11/01/2007 10:41 AM:
> On Thu, 1 Nov 2007, Victor Duchovni wrote:
>
>> On Thu, Nov 01, 2007 at 02:24:43PM +0000, gordanbobich.net wrote:
>>
>>> 1) That's not the domain that's having problems.
>>> 2) It's MX-es are not running postfix (they are running courier)
>>> 3) The MX-es are there for a reason. Google "nolisting".
>>
>> Which requires just 3 MX hosts not 66.
>
> To be effective you need more. 66 was for testing purposes, but proved
> to work. In a production setup I wouldn't bother using more than 10-15.

You only need a single nonresponsive primary MX for Nolisting.

It's funny, but I was doing a similar experiment when I discovered
Nolisting (although I used a 5 minute TTL). I was simply trying to find
out how many MX records popular MTAs and ESPs would retry before giving
up (it turns out you can't rely on more than two attempts). The next
day, my log parsers revealed a dramatic drop in spam. I refined the
technique to provide the most reliability, and that is why Nolisting
formally requires only one nonresponsive MX. Tacking on additional ones
is not Nolisting, and returns results that are misleading.

> Spammers go most for the top 1 and bottom 5 MX-es.

*Some* malware attempts delivery to multiple MX hosts. I believe that is
the best you can conclude. It is impossible to get reliable results on
any variation in the configuration without using a virgin block of IP
addresses, and preferably a new domain. Even then, there are too many
factors to adjust for, but my studies have shown that the majority of
malware still targets the primary MX. Nonresponsive low priority MX
records seem to result in more spam being generated, but not necessarily
less spam on the responsive MX (you're just creating new targets).

If you want to explore a more strict variation, look at Unlisting:

http://unlisting.org/

By itself, it is extremely effective, but prone to too many false
positives. I have been combining Nolisting with Selective Unlisting for
more acceptable results:

http://unlisting.org/selective.html

The caveats remain, but you determine the acceptable risk.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]