Loading ...
Sorry, an error occurred while loading the content.
 

Re: Possible MX Lookup/Ordering Issue

Expand Messages
  • Jorey Bump
    ... I ve already ruled this out as a dangerous technique that can result in lost mail. It s extremely important that your second MX host is responsive. ... But
    Message 1 of 44 , Nov 1, 2007
      gordan@... wrote, at 11/01/2007 11:39 AM:
      > On Thu, 1 Nov 2007, Jorey Bump wrote:
      >
      >> Don't let opinion or fringe cases guide you here. Too often, I have to
      >> defend Nolisting against a straw man argument that "this is useless
      >> because spammers will just bypass the primary MX and go to the
      >> secondary instead." Well, *some* do, and I'll deal with them in a
      >> later step. Meanwhile, I've foiled the majority, and I've conserved
      >> some of my resources so they can be used elsewhere.
      >
      > Sure - and I've gone one better and hidden my real MX somewhere between
      > the rejecting ones at the top (which leads to immediate retries to the
      > next MX down, which may or may not do the same thing), and the
      > tarpitting ones at the bottom. And even if a valid MTA gets to the
      > bottom ones through a minor network outage, it'll still eventually time
      > out and roll over to retry from the top after a little while.

      I've already ruled this out as a dangerous technique that can result in
      lost mail. It's extremely important that your second MX host is responsive.

      >> Why bother fighting spam that wouldn't exist otherwise? Don't create
      >> unnecessary targets. It's not like there is a finite amount of spam
      >> aimed at a domain that gets thinned out over multiple hosts. Malware
      >> is perfectly capable of generating *more* spam for each MX record. I
      >> haven't seen conclusive evidence the contrary.
      >
      > The fact that the top 1 and bottom 3 MX records see a disproportionately
      > high packet hit rate compared to the valid and accepting real MX is
      > evidence.

      But that's not your goal. An increase in volume can create the same
      results without lowering the amount of spam aimed at your functioning
      MX. While conducting your tests, keep in mind that you want your
      *functioning MX* to have a high percentage of ham (with zero false
      positives), and the lowest percentage of spam attainable. You need to
      prove that your decoys are indeed drawing spam away from your
      functioning MX, and that's difficult to prove without an adequate control.
    • gordan@bobich.net
      ... Sure - but I ve tested this across different networks and different domains. There is always the dominant shape of the curve: disproportionate number of
      Message 44 of 44 , Nov 1, 2007
        On Thu, 1 Nov 2007, mouss wrote:

        > gordan@... wrote:
        >> On Thu, 1 Nov 2007, mouss wrote:
        >>> this does not prove that using 10 records significantly reduces the spam
        >>> received on the real MXes. This only shows the dsitribution of spam
        >>> attempts when using 10 records.
        >>
        >> Sure - but unless spam that went to MX10 then went and tried MX2, the
        >> spam wasn't delivered to MX2.
        >>
        >
        > As Jorey said, it's not like there is a finite quantity of spam to be
        > distributed among MXes. I have domains that receive 0 spam (and they
        > have an MX). BTW. I also see smtp attempts to machines that are not
        > listed as MX for any domain.

        Sure - but I've tested this across different networks and different
        domains. There is always the dominant shape of the curve: disproportionate
        number of connections on the 1st nth, n-1 and n-2 MX records (where n is
        the number of MX-es).

        >>> the experiment would be:
        >>>
        >>> test 1: with only 2 records, what amount of spam is targetting the real
        >>> MX. do this for some period of time (so that there are actually many bot
        >>> runs).
        >>>
        >>> test 2: do the same test with 10 records.
        >>>
        >>> if the amount of spam (on the "real" MX) in test 2 is significantly
        >>> lower than in test 1, then 10 records would be useful. otherwise, you
        >>> are just putting more honey for the flies.
        >>
        >> The difference is extremely signifficant. It is also signifficant
        >> between 3 and 5 MX-es, although it gets less measurable when going from
        >> 10 upward.
        >
        > you did not show actual numbers for this.

        It worked so well that I never bothered gathering any stats. But I guess I
        could go through my spam folder and put some numbers to it when I have a
        moment.

        >>> No. see above. you are comparing numbers in a single setup. you are not
        >>> comparing different setups (different number of records).
        >>
        >> Yes I was. I tested with increasing numbers of MX records and the amount
        >> of spam reduced. You do get into diminishing returns (statistically, 10
        >> gets around 90% of it away, going from 10 to 100 only reduces it by
        >> another 9%), so usually I don't bother with more than about 15. The
        >> drop-off is actually better than linear because spammers seem to target
        >> the 1st highest and 3 lowest MX-es, so adding more in the middle just
        >> dilutes the ones that target a random MX.
        >>
        >
        > If they target 1st and last 3, then why 10 instead of 5?

        Because there is still a measurable drop, and it isn't exactly an
        expensive solution.

        >> You could, of course, just try it yourself for some figures you can
        >> trust. :-)
        >
        > I suspect there may be broken MTAs out there, so I keep myself under the
        > 2 MX limit to avoid any risk on "real" domains. but I may test this on
        > domains unused in email.

        You'll need some quite spam-heavy unused domains to gather the statistics
        quickly enough.

        Gordan
      Your message has been successfully submitted and would be delivered to recipients shortly.