gordanbobich.net
Date: Thu Nov 01 2007 - 14:24:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 1 Nov 2007, mouss wrote:

> gordanbobich.net wrote:
>> On Thu, 1 Nov 2007, mouss wrote:
>>> this does not prove that using 10 records significantly reduces the spam
>>> received on the real MXes. This only shows the dsitribution of spam
>>> attempts when using 10 records.
>>
>> Sure - but unless spam that went to MX10 then went and tried MX2, the
>> spam wasn't delivered to MX2.
>>
>
> As Jorey said, it's not like there is a finite quantity of spam to be
> distributed among MXes. I have domains that receive 0 spam (and they
> have an MX). BTW. I also see smtp attempts to machines that are not
> listed as MX for any domain.

Sure - but I've tested this across different networks and different
domains. There is always the dominant shape of the curve: disproportionate
number of connections on the 1st nth, n-1 and n-2 MX records (where n is
the number of MX-es).

>>> the experiment would be:
>>>
>>> test 1: with only 2 records, what amount of spam is targetting the real
>>> MX. do this for some period of time (so that there are actually many bot
>>> runs).
>>>
>>> test 2: do the same test with 10 records.
>>>
>>> if the amount of spam (on the "real" MX) in test 2 is significantly
>>> lower than in test 1, then 10 records would be useful. otherwise, you
>>> are just putting more honey for the flies.
>>
>> The difference is extremely signifficant. It is also signifficant
>> between 3 and 5 MX-es, although it gets less measurable when going from
>> 10 upward.
>
> you did not show actual numbers for this.

It worked so well that I never bothered gathering any stats. But I guess I
could go through my spam folder and put some numbers to it when I have a
moment.

>>> No. see above. you are comparing numbers in a single setup. you are not
>>> comparing different setups (different number of records).
>>
>> Yes I was. I tested with increasing numbers of MX records and the amount
>> of spam reduced. You do get into diminishing returns (statistically, 10
>> gets around 90% of it away, going from 10 to 100 only reduces it by
>> another 9%), so usually I don't bother with more than about 15. The
>> drop-off is actually better than linear because spammers seem to target
>> the 1st highest and 3 lowest MX-es, so adding more in the middle just
>> dilutes the ones that target a random MX.
>>
>
> If they target 1st and last 3, then why 10 instead of 5?

Because there is still a measurable drop, and it isn't exactly an
expensive solution.

>> You could, of course, just try it yourself for some figures you can
>> trust. :-)
>
> I suspect there may be broken MTAs out there, so I keep myself under the
> 2 MX limit to avoid any risk on "real" domains. but I may test this on
> domains unused in email.

You'll need some quite spam-heavy unused domains to gather the statistics
quickly enough.

Gordan

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]