Re: Possible MX Lookup/Ordering Issue
- gordan@... wrote, at 11/01/2007 11:39 AM:
> On Thu, 1 Nov 2007, Jorey Bump wrote:I've already ruled this out as a dangerous technique that can result in
>> Don't let opinion or fringe cases guide you here. Too often, I have to
>> defend Nolisting against a straw man argument that "this is useless
>> because spammers will just bypass the primary MX and go to the
>> secondary instead." Well, *some* do, and I'll deal with them in a
>> later step. Meanwhile, I've foiled the majority, and I've conserved
>> some of my resources so they can be used elsewhere.
> Sure - and I've gone one better and hidden my real MX somewhere between
> the rejecting ones at the top (which leads to immediate retries to the
> next MX down, which may or may not do the same thing), and the
> tarpitting ones at the bottom. And even if a valid MTA gets to the
> bottom ones through a minor network outage, it'll still eventually time
> out and roll over to retry from the top after a little while.
lost mail. It's extremely important that your second MX host is responsive.
>> Why bother fighting spam that wouldn't exist otherwise? Don't createBut that's not your goal. An increase in volume can create the same
>> unnecessary targets. It's not like there is a finite amount of spam
>> aimed at a domain that gets thinned out over multiple hosts. Malware
>> is perfectly capable of generating *more* spam for each MX record. I
>> haven't seen conclusive evidence the contrary.
> The fact that the top 1 and bottom 3 MX records see a disproportionately
> high packet hit rate compared to the valid and accepting real MX is
results without lowering the amount of spam aimed at your functioning
MX. While conducting your tests, keep in mind that you want your
*functioning MX* to have a high percentage of ham (with zero false
positives), and the lowest percentage of spam attainable. You need to
prove that your decoys are indeed drawing spam away from your
functioning MX, and that's difficult to prove without an adequate control.
- On Thu, 1 Nov 2007, mouss wrote:
> gordan@... wrote:Sure - but I've tested this across different networks and different
>> On Thu, 1 Nov 2007, mouss wrote:
>>> this does not prove that using 10 records significantly reduces the spam
>>> received on the real MXes. This only shows the dsitribution of spam
>>> attempts when using 10 records.
>> Sure - but unless spam that went to MX10 then went and tried MX2, the
>> spam wasn't delivered to MX2.
> As Jorey said, it's not like there is a finite quantity of spam to be
> distributed among MXes. I have domains that receive 0 spam (and they
> have an MX). BTW. I also see smtp attempts to machines that are not
> listed as MX for any domain.
domains. There is always the dominant shape of the curve: disproportionate
number of connections on the 1st nth, n-1 and n-2 MX records (where n is
the number of MX-es).
>>> the experiment would be:It worked so well that I never bothered gathering any stats. But I guess I
>>> test 1: with only 2 records, what amount of spam is targetting the real
>>> MX. do this for some period of time (so that there are actually many bot
>>> test 2: do the same test with 10 records.
>>> if the amount of spam (on the "real" MX) in test 2 is significantly
>>> lower than in test 1, then 10 records would be useful. otherwise, you
>>> are just putting more honey for the flies.
>> The difference is extremely signifficant. It is also signifficant
>> between 3 and 5 MX-es, although it gets less measurable when going from
>> 10 upward.
> you did not show actual numbers for this.
could go through my spam folder and put some numbers to it when I have a
>>> No. see above. you are comparing numbers in a single setup. you are notBecause there is still a measurable drop, and it isn't exactly an
>>> comparing different setups (different number of records).
>> Yes I was. I tested with increasing numbers of MX records and the amount
>> of spam reduced. You do get into diminishing returns (statistically, 10
>> gets around 90% of it away, going from 10 to 100 only reduces it by
>> another 9%), so usually I don't bother with more than about 15. The
>> drop-off is actually better than linear because spammers seem to target
>> the 1st highest and 3 lowest MX-es, so adding more in the middle just
>> dilutes the ones that target a random MX.
> If they target 1st and last 3, then why 10 instead of 5?
>> You could, of course, just try it yourself for some figures you canYou'll need some quite spam-heavy unused domains to gather the statistics
>> trust. :-)
> I suspect there may be broken MTAs out there, so I keep myself under the
> 2 MX limit to avoid any risk on "real" domains. but I may test this on
> domains unused in email.