OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Possible MX Lookup/Ordering Issue

gordanbobich.net
Date: Thu Nov 01 2007 - 13:30:01 CDT

On Thu, 1 Nov 2007, mouss wrote:

> gordanbobich.net wrote:
>> On Thu, 1 Nov 2007, Jorey Bump wrote:
>>
>>>>>> 1) That's not the domain that's having problems.
>>>>>> 2) It's MX-es are not running postfix (they are running courier)
>>>>>> 3) The MX-es are there for a reason. Google "nolisting".
>>>>>> Which requires just 3 MX hosts not 66.
>>>>
>>>> To be effective you need more. 66 was for testing purposes, but
>>>> proved to
>>>> work. In a production setup I wouldn't bother using more than 10-15.
>>>
>>> You only need a single nonresponsive primary MX for Nolisting.
>>>
>>> It's funny, but I was doing a similar experiment when I discovered
>>> Nolisting (although I used a 5 minute TTL). I was simply trying to
>>> find out how many MX records popular MTAs and ESPs would retry before
>>> giving up (it turns out you can't rely on more than two attempts). The
>>> next day, my log parsers revealed a dramatic drop in spam. I refined
>>> the technique to provide the most reliability, and that is why
>>> Nolisting formally requires only one nonresponsive MX. Tacking on
>>> additional ones is not Nolisting, and returns results that are
>>> misleading.
>>
>> I agree, but when you set up about 10 records, you find that the 1st and
>> n-th out of n servers get about 80% of the packet hits. The n-1, n-2 and
>> n-3 servers get a decreasing number of hits. 2nd is usually the next one
>> with most packets going through, presumably including all of the ham
>> that hit the 1st, immediately rejecting server.
>>
>
> this does not prove that using 10 records significantly reduces the spam
> received on the real MXes. This only shows the dsitribution of spam
> attempts when using 10 records.

Sure - but unless spam that went to MX10 then went and tried MX2, the spam
wasn't delivered to MX2.

> the experiment would be:
>
> test 1: with only 2 records, what amount of spam is targetting the real
> MX. do this for some period of time (so that there are actually many bot
> runs).
>
> test 2: do the same test with 10 records.
>
> if the amount of spam (on the "real" MX) in test 2 is significantly
> lower than in test 1, then 10 records would be useful. otherwise, you
> are just putting more honey for the flies.

The difference is extremely signifficant. It is also signifficant between
3 and 5 MX-es, although it gets less measurable when going from 10 upward.

>>>> Spammers go most for the top 1 and bottom 5 MX-es.
>>>
>>> *Some* malware attempts delivery to multiple MX hosts. I believe that
>>> is the best you can conclude. It is impossible to get reliable results
>>> on any variation in the configuration without using a virgin block of
>>> IP addresses, and preferably a new domain.
>>
>> Not at all. Once the DNS TTL expires, it's as good as it's going to get.
>> And if you have domains with lots of users (and usernames), that's a
>> great way to show that the vast majority of spam will go to the decoy
>> MX-es.
>>
>>> Even then, there are too many factors to adjust for, but my studies
>>> have shown that the majority of malware still targets the primary MX.
>>> Nonresponsive low priority MX records seem to result in more spam
>>> being generated, but not necessarily
>>> less spam on the responsive MX (you're just creating new targets).
>>
>> I beg to differ. Given that my packet logs show that the low priority
>> MX-es are the ones that get most of the packet hits (more than the
>> primary), I'd say the evidence is pretty conclusive.
>
> No. see above. you are comparing numbers in a single setup. you are not
> comparing different setups (different number of records).

Yes I was. I tested with increasing numbers of MX records and the amount
of spam reduced. You do get into diminishing returns (statistically, 10
gets around 90% of it away, going from 10 to 100 only reduces it by
another 9%), so usually I don't bother with more than about 15. The
drop-off is actually better than linear because spammers seem to target
the 1st highest and 3 lowest MX-es, so adding more in the middle just
dilutes the ones that target a random MX.

You could, of course, just try it yourself for some figures you can trust.
:-)

Gordan