|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jorey Bump (list
joreybump.com)
Date: Thu Nov 01 2007 - 10:58:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
gordanbobich.net wrote, at 11/01/2007 11:39 AM:
> On Thu, 1 Nov 2007, Jorey Bump wrote:
>
>> Don't let opinion or fringe cases guide you here. Too often, I have to
>> defend Nolisting against a straw man argument that "this is useless
>> because spammers will just bypass the primary MX and go to the
>> secondary instead." Well, *some* do, and I'll deal with them in a
>> later step. Meanwhile, I've foiled the majority, and I've conserved
>> some of my resources so they can be used elsewhere.
>
> Sure - and I've gone one better and hidden my real MX somewhere between
> the rejecting ones at the top (which leads to immediate retries to the
> next MX down, which may or may not do the same thing), and the
> tarpitting ones at the bottom. And even if a valid MTA gets to the
> bottom ones through a minor network outage, it'll still eventually time
> out and roll over to retry from the top after a little while.
I've already ruled this out as a dangerous technique that can result in
lost mail. It's extremely important that your second MX host is responsive.
>> Why bother fighting spam that wouldn't exist otherwise? Don't create
>> unnecessary targets. It's not like there is a finite amount of spam
>> aimed at a domain that gets thinned out over multiple hosts. Malware
>> is perfectly capable of generating *more* spam for each MX record. I
>> haven't seen conclusive evidence the contrary.
>
> The fact that the top 1 and bottom 3 MX records see a disproportionately
> high packet hit rate compared to the valid and accepting real MX is
> evidence.
But that's not your goal. An increase in volume can create the same
results without lowering the amount of spam aimed at your functioning
MX. While conducting your tests, keep in mind that you want your
*functioning MX* to have a high percentage of ham (with zero false
positives), and the lowest percentage of spam attainable. You need to
prove that your decoys are indeed drawing spam away from your
functioning MX, and that's difficult to prove without an adequate control.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]