Re: Spammers Target Secondary MX hosts?
At 01:42 19/03/2005, Martin Hepworth wrote: I think the reason is that they think we might trust the secondary MX more than anything else and therefore let it through without checks. I don't know about that. I think its more just a matter of the way the bulk mailing software works. A normal SMTP client will always go for the primary MX first, and only try a secondary if the primary is unreachable. Therefore nearly all your legitimate mail will go to the primary directly, unless your primary is down or overloaded and refusing connections. On the other hand, I find that spam seems to hit the primary and secondary in roughly equal measure - so I suspect the bulk mailers just pick an MX at random rather than following the primary first standard that SMTP clients should follow. The theory is probably that they can pump spam through faster if they utilize all an ISP's inbound MX machines :) Regards, Simon
RE: Spammers Target Secondary MX hosts?
And what is the dummy record? If it's not valid (i.e. and unroutable IP such as the 10,192, 172 blocks, then it might get routed back to the client's internal network. If it's a public IP it can be worse. Say you route it to a dummy IP owned by you and there isn't anything on there and one day you add it and suddenly mail is being rejected there. Please don't tell me you use 127.0.0.1 as the invalid address... I just say use an additional A record for a valid host. It's a lot less trouble, conforms to a valid working design and can be less troublesome if you run into the above situation. I think that a valid route is better than a questionable one to an MX server. But because of the uptime of my 1st and 2nd mailservers and because of the robustness of the mail-protocol I've set the highest MX-number to a 'dummy' server so that mail is blocked if they only try that MX-number (must be a spammer then). That way this kind of spam doesn't arrive at all. It's a matter of taste.. Menno
RE: Spammers Target Secondary MX hosts?
I've used a different approach, IN MX 10 primary.domain.com (4 machines) IN MX 20 primary1.domain.com (2 of those 4) IN MX 30 primary1.domain.com (the other 2 of those 4) IN MX 20 backup.domain.com IN MX 30 primary.domain.com Seems to force most of the spam through the primary. Very little goes through the backup now. To make matters simpler, we have changed all of our backups to relay all mail through the primaries. We spend a considerable amount of time ensuring that the backups were in sync and it has also increases the licensing of some of our software (as we have a commercial AV application that is licensed per server). Our primary location has a load balanced set of 4 servers serving as incoming relays that feed back to two AV servers and two SA servers (with bayes running on another server with mysql). We had a similar setup as the backup location. Anyways, by setting the backup (highest MX) as the primary as well had a significant decrease in the level of spam. One thing that we will be implementing shortly is a second IP for the same primary load balanced relays and we will make that second IP the final backup. This should help trick the spammers in the event they decided to compare the IP's in the future. That's what we have done to manage the situation. Gary Wayne Smith -Original Message- From: Menno van Bennekom [mailto:[EMAIL PROTECTED] Sent: Monday, March 21, 2005 3:05 AM To: Jeff Chan Cc: users@spamassassin.apache.org Subject: Re: Spammers Target Secondary MX hosts? Clever trick. Do legitimate MTAs try to send to the second highest MXer if the primary is down? If so a fake third MX (even to a completely unused IP?) may have little downside. I.e. @ IN MX 5 realprimary.domain.com @ IN MX 10 realbackup.domain.com @ IN MX 20 fakebackup.domain.com Jeff C. AFAIK mailservers first try the highest prio, then the second highest etcetera. I once had a situation where both the primary and the secondary were down, but still mail to us didn't bounce, old mails just started streaming in when the servers came up. Somehow the mail-protocol is quite robust, I'm not worried about using a 'fake' third MX. Menno
RE: Spammers Target Secondary MX hosts?
SNIP I've used a different approach, IN MX 10 primary.domain.com (4 machines) IN MX 20 primary1.domain.com (2 of those 4) IN MX 30 primary1.domain.com (the other 2 of those 4) IN MX 20 backup.domain.com IN MX 30 primary.domain.com Seems to force most of the spam through the primary. Very little goes through the backup now. To make matters simpler, we have changed all of our backups to relay all mail through the primaries. Gary Wayne Smith Okay, so you want the spam directed to the highest MX-number to arrive at you primary mailserver. That way the spam-checks like originating IP can still be done in the MTA because it's not relayed by a backup-mailserver. But because of the uptime of my 1st and 2nd mailservers and because of the robustness of the mail-protocol I've set the highest MX-number to a 'dummy' server so that mail is blocked if they only try that MX-number (must be a spammer then). That way this kind of spam doesn't arrive at all. It's a matter of taste.. Menno
Re: Spammers Target Secondary MX hosts?
On Monday, March 21, 2005, 2:21:48 AM, Menno Bennekom wrote: From: jdow Wow, it's been awhile since this floated through the list the last time. The theory among the spammers is that the secondary and tertirary MX machines are less well protected. They're backups, afterall. They're not used every day. Most canny anti-spammers are aware of this and may actually have the secondaries nailed down a little tighter than the primaries. Indeed a lot of spam-programs/viruses address directly the highest MX-record. I point my highest MX-record (after the primary and backup MX) to an inactive mail-server, sort of second backup but postfix is stopped. Once in a while I active it just to look what's coming in, and it is a gigantic amount of spam/viruses/name-guessing. This solution really has lowered the amount of traffic on my main mailservers. Menno van Bennekom Clever trick. Do legitimate MTAs try to send to the second highest MXer if the primary is down? If so a fake third MX (even to a completely unused IP?) may have little downside. I.e. @ IN MX 5 realprimary.domain.com @ IN MX 10 realbackup.domain.com @ IN MX 20 fakebackup.domain.com Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Spammers Target Secondary MX hosts?
Clever trick. Do legitimate MTAs try to send to the second highest MXer if the primary is down? If so a fake third MX (even to a completely unused IP?) may have little downside. I.e. @ IN MX 5 realprimary.domain.com @ IN MX 10 realbackup.domain.com @ IN MX 20 fakebackup.domain.com Jeff C. AFAIK mailservers first try the highest prio, then the second highest etcetera. I once had a situation where both the primary and the secondary were down, but still mail to us didn't bounce, old mails just started streaming in when the servers came up. Somehow the mail-protocol is quite robust, I'm not worried about using a 'fake' third MX. Menno
Re: Spammers Target Secondary MX hosts?
On Monday 21 March 2005 11:05, Menno van Bennekom typed: Clever trick. Do legitimate MTAs try to send to the second highest MXer if the primary is down? If so a fake third MX (even to a completely unused IP?) may have little downside. I.e. @ IN MX 5 realprimary.domain.com @ IN MX 10 realbackup.domain.com @ IN MX 20 fakebackup.domain.com Jeff C. AFAIK mailservers first try the highest prio, then the second highest etcetera. I once had a situation where both the primary and the secondary were down, but still mail to us didn't bounce, old mails just started streaming in when the servers came up. Somehow the mail-protocol is quite robust, I'm not worried about using a 'fake' third MX. Menno Correct. SMTP is a (sort of) store-and-forward protocol. If I send a message to you, my mail server stores the message, does the appropriate lookups and tries to forward on. If the first MX fails (5), it'll try the next MX (10). If the next one fails, it'll try the third (20). If that fails, it stores the message and flags it for a retry n minutes/hours/days later. If the message cannot be delivered after y days (hours in some cases), the server generates a DSN for 'could not deliver the mail' and sends it to me. My mail server may not talk to yours directly either. In the case of my personal account, my postfix installation hands off to my ISP server for relay work. If the ISP server is unable to deliver, it has to generate the DSN - my box is no longer responsible.
Re: Spammers Target Secondary MX hosts?
On 3/21/2005 12:05 PM +0100, Menno van Bennekom wrote: AFAIK mailservers first try the highest prio, then the second highest etcetera. It's generally better to use the term distance when it comes to MX RRs. I'm aware the rfc's speak of priority, but a higher priority MX, has a lower number, and vice verse, hence distance makes more sense :) Niek --
RE: Spammers Target Secondary MX hosts?
-Original Message- From: Niek [mailto:[EMAIL PROTECTED] Sent: maandag 21 maart 2005 12:14 To: users@spamassassin.apache.org Subject: Re: Spammers Target Secondary MX hosts? It's generally better to use the term distance when it comes to MX RRs. I'm aware the rfc's speak of priority, but a higher priority MX, has a lower number, and vice verse, hence distance makes more sense :) And, in UNIX, a higher priority process has a lower number, too. I am quite comfortable with that terminology. - Mark
RE: Spammers Target Secondary MX hosts?
Not only sendmail, you can plug Milter filters into Perl programs using Net::Milter from CPAN. I've not tried plumbing it in yet, but it should certainly be possible. Martin -Original Message- From: Alexander Bochmann [mailto:[EMAIL PROTECTED] Sent: 18 March 2005 18:51 To: users@spamassassin.apache.org Subject: Re: Spammers Target Secondary MX hosts? ...on Fri, Mar 18, 2005 at 10:24:25AM -0800, Kelson wrote: The backscatter becomes a real problem in the legitimate relay situation, because it's basically unavoidable. If the spam is sent directly to you, you can accept it, discard it, or reject it, and it stops. But if you're relaying to someone, and *they* reject it, now you have to decide whether to generate a DSN or not. We've actually set up When I was in that situation, my solution turned out to be milter-ahead, http://www.milter.info/milter-ahead/index.shtml but that won't help you if you're not running sendmail :) Alex. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: Spammers Target Secondary MX hosts?
On Mon, 21 Mar 2005 12:05:18 +0100 (CET), Menno van Bennekom wrote I once had a situation where both the primary and the secondary were down, but still mail to us didn't bounce, old mails just started streaming in when the servers came up. Yes, the remote MTAs will queue them. The exact amount of time varies, but it's usually at least a few days. For that reason I tend to think secondary MXs are often more trouble than they're really worth.
RE: Spammers Target Secondary MX hosts?
Very interesting discussion.
I run a secondary MX without SA, which normally forwards everything to the
primary, IOW a store-and-forward relay. The secondary gets a steady stream of
spam all day long, about 1/3 as much as the primary. I tried the trick with a
tertiary entry matching the primary, but it didn't reduce the spam at the
secondary very much.
SA on the primary penalizes mail coming via the secondary with 2.0 points.
Obviously SA won't be running if the primary is down, and if we ever get a long
primary outage I can disable this rule on restart.
To eliminate backscatter, I copy the LDAP-generated sendmail access database
from the primary to the secondary twice a day. Thus the secondary will not
accept mail for nonexistent addresses. The time lag isn't a problem, since the
secondary only gets legitimate mail when the primary is down, which is almost
never.
Pierre
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, March 18, 2005 1:40 PM
To: [EMAIL PROTECTED]; users@spamassassin.apache.org
Subject: RE: Spammers Target Secondary MX hosts?
Kelson wrote:
Larry Starr wrote:
On Friday 18 March 2005 08:17, Alexander Bochmann wrote:
there are many setups where
the ISP or someone else runs a backup MX for his
customer's domains as a service. With this configuration,
the secondary MX will usually not know about valid users
in the destination domain.
That, in fact, is the setup that I am operating and, yes, most of
what comes through my secondary MX, at my ISP, is SPAM. Some time
ago I implemented a rule that adds a (small) spam score for mail
received via my secondary MX.
I'm on the flip side of that: we provide secondary MX services for
some of our customers, and I've started adding a small bonus score
for mail being sent *to* them through our server. I've also added
meta-rules to treat certain rules more harshly.
The really annoying thing, from our standpoint, is the backscatter we
have to process:
1. Spammer sends to secondary MX (us).
2. We filter out some of the more obvious spam (for the most part
using our regular criteria).
3. We relay what's left to the primary MX.
4. Primary MX rejects mail to nonexistant users and mail that trips
their own spam filters.
5. We generate DSNs that go to third parties or nonexistant hosts,
contributing to backscatter and cluttering up our outbound queue.
The backscatter becomes a real problem in the legitimate relay
situation, because it's basically unavoidable. If the spam is sent
directly to you, you can accept it, discard it, or reject it, and it
stops. But if you're relaying to someone, and *they* reject it, now
you have to decide whether to generate a DSN or not. We've actually
set up a separate queue for bounces that aren't delivered
immediately, so that it won't bog down normal mail.
Two solutions occur to me:
1) Allow a way for the secondary MX to tell whether the primary MX is up - if
it is, don't accept any connections
2) Allow a way for the secondary MX to tell what email addresses on the primary
MX are valid (LDAP occurs to me)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: Spammers Target Secondary MX hosts?
I just had the reverse problem. Working for a large company using Exchange for outbound business email we were always hitting one company's secondary MX which was broken (sent back rejections). Our servers just liked the second MX better than the primary MX for some reason. When I manually telneted into both the primary and the secondary MX I noticed the secondary responded much faster than the primary to commands. So maybe the primary just could not respond quick enough to our email server so it flipped to the secondary which was much faster. (just guessing here) Hi all, I've been noticing it lately that almost 90% of emails come in through our secondary MX host are spams, I just want to know if there's an explanation for this, my guess is that the spammers spam the secondary MX host intentionally for some reason I can't understand, maybe hoping the secondary host will configured with less care? Many thanks, Yang
RE: Spammers Target Secondary MX hosts?
--On Friday, March 18, 2005 2:55 PM -0500 Pierre Thomson [EMAIL PROTECTED] wrote: I tried the trick with a tertiary entry matching the primary, but it didn't reduce the spam at the secondary very much. It would be useful to figure out why this is so. Did you use the same host name for both primary and tertiary? Or same resolved IP address? Does sendmail do any optimization like dropping candidate hosts found more than once in the MX list? Could it be that some ratware also makes this optimization? I only have the one IP but I can create many hostnames in my domain to point to the same mail server and use that technique. Yet another reason to switch to IPv6, so we'll have a glut of extra addresses to hide within.
OT: Re: Spammers Target Secondary MX hosts?
On Friday, March 18, 2005, 2:13:23 PM, jdow jdow wrote: From: Yang Xiao [EMAIL PROTECTED] Hi all, I've been noticing it lately that almost 90% of emails come in through our secondary MX host are spams, I just want to know if there's an explanation for this, my guess is that the spammers spam the secondary MX host intentionally for some reason I can't understand, maybe hoping the secondary host will configured with less care? Wow, it's been awhile since this floated through the list the last time. The theory among the spammers is that the secondary and tertirary MX machines are less well protected. They're backups, afterall. They're not used every day. Most canny anti-spammers are aware of this and may actually have the secondaries nailed down a little tighter than the primaries. We're applying more RBLs to our backup server than our primary MXer. What was the trick for making a mail server delay or reject responses the first time an IP connects? I've heard this is very effective against spamware/zombies, etc. We're using Postfix, so this is definitely off topic. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Spammers Target Secondary MX hosts?
[EMAIL PROTECTED] wrote:
Kelson wrote:
Larry Starr wrote:
On Friday 18 March 2005 08:17, Alexander Bochmann wrote:
there are many setups where
the ISP or someone else runs a backup MX for his
customer's domains as a service. With this configuration,
the secondary MX will usually not know about valid users
in the destination domain.
That, in fact, is the setup that I am operating and, yes, most of
what comes through my secondary MX, at my ISP, is SPAM. Some time
ago I implemented a rule that adds a (small) spam score for mail
received via my secondary MX.
I'm on the flip side of that: we provide secondary MX services for
some of our customers, and I've started adding a small bonus score
for mail being sent *to* them through our server. I've also added
meta-rules to treat certain rules more harshly.
The really annoying thing, from our standpoint, is the backscatter we
have to process:
1. Spammer sends to secondary MX (us).
2. We filter out some of the more obvious spam (for the most part
using our regular criteria).
3. We relay what's left to the primary MX.
4. Primary MX rejects mail to nonexistant users and mail that trips
their own spam filters.
5. We generate DSNs that go to third parties or nonexistant hosts,
contributing to backscatter and cluttering up our outbound queue.
The backscatter becomes a real problem in the legitimate relay
situation, because it's basically unavoidable. If the spam is sent
directly to you, you can accept it, discard it, or reject it, and it
stops. But if you're relaying to someone, and *they* reject it, now
you have to decide whether to generate a DSN or not. We've actually
set up a separate queue for bounces that aren't delivered
immediately, so that it won't bog down normal mail.
Two solutions occur to me:
1) Allow a way for the secondary MX to tell whether the primary MX is up - if
it is, don't accept any connections
2) Allow a way for the secondary MX to tell what email addresses on the primary
MX are valid (LDAP occurs to me)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
MIMEDefang can do both of these... I use it on my secondary MX server to
check for valid users on the primary server. as a safety, if the
primary MX server is down, it'll accept and queue the mail. if it can't
validate the user on the primary server, yet the server is up, it'll
fail with user unknown.
alan
Re: OT: Re: Spammers Target Secondary MX hosts?
On Saturday, March 19, 2005, 4:36:42 AM, alan premselaar wrote: I think you're thinking of Greylisting. It'll reject mail from a certain triple (sender/receiver/ip) the first time it comes in, record it in some form (database/filesystem/etc) and apply certain time delays so if the mail from the same triple comes back after a specified timeout, it'll be accepted. Yep, a couple that I was pointed to are: http://isg.ee.ethz.ch/tools/postgrey/ http://policyd.sourceforge.net/ Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Spammers Target Secondary MX hosts?
I think the reason is that they think we might trust the secondary MX more than anything else and therefore let it through without checks. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Yang Xiao wrote: Hi all, I've been noticing it lately that almost 90% of emails come in through our secondary MX host are spams, I just want to know if there's an explanation for this, my guess is that the spammers spam the secondary MX host intentionally for some reason I can't understand, maybe hoping the secondary host will configured with less care? Many thanks, Yang ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Spammers Target Secondary MX hosts?
On Fri, 18 Mar 2005 13:48:46 +, Duncan Hill [EMAIL PROTECTED] wrote: On Friday 18 March 2005 13:09, Yang Xiao typed: Hi all, I've been noticing it lately that almost 90% of emails come in through our secondary MX host are spams, I just want to know if there's an explanation for this, my guess is that the spammers spam the secondary MX host intentionally for some reason I can't understand, maybe hoping the secondary host will configured with less care? In a large number of cases, the secondary MX is not configured to know the list of valid users etc, and may be configured to pass directly to the internal mail server, bypassing protections on the primary relay. hm...I'd be interested to know what's the percentage is like for this kind of settings just to feed my curiousity, because it totally doesn't make sense to me , it's like settings up a secondary firewall with no blocking rules, what good is it? Yang
Re: Spammers Target Secondary MX hosts?
Yang Xiao wrote on Fri, 18 Mar 2005 08:09:24 -0500: I've been noticing it lately that almost 90% of emails come in through our secondary MX host are spams, I just want to know if there's an explanation for this, my guess is that the spammers spam the secondary MX host intentionally for some reason I can't understand, maybe hoping the secondary host will configured with less care? Yes, that seems to be the idea. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
Re: Spammers Target Secondary MX hosts?
A secondary MX host will get mostly spam. Mailers that follow the rules will use the MX records as they were intended. Spammers scan all hosts for port 25 and send email through them any way they can. You can put a machine on the Internet without any MX records and spam will start flowing through it. It usually does not take them very long to discover a mail server. The upside is that the spam can be used for testing new versions of SpamAssassin. :) On Fri, 18 Mar 2005 08:09:24 -0500, Yang Xiao [EMAIL PROTECTED] wrote: Hi all, I've been noticing it lately that almost 90% of emails come in through our secondary MX host are spams, I just want to know if there's an explanation for this, my guess is that the spammers spam the secondary MX host intentionally for some reason I can't understand, maybe hoping the secondary host will configured with less care? Many thanks, Yang
Re: Spammers Target Secondary MX hosts?
...on Fri, Mar 18, 2005 at 08:52:23AM -0500, Yang Xiao wrote: On Fri, 18 Mar 2005 13:48:46 +, Duncan Hill [EMAIL PROTECTED] wrote: In a large number of cases, the secondary MX is not configured to know the list of valid users etc, and may be configured to pass directly to the internal mail server, bypassing protections on the primary relay. hm...I'd be interested to know what's the percentage is like for this kind of settings just to feed my curiousity, because it totally doesn't make sense to me , it's like settings up a secondary firewall with no blocking rules, what good is it? It shurely doesn't make sense if the secondary MX is under your control, but there are many setups where the ISP or someone else runs a backup MX for his customer's domains as a service. With this configuration, the secondary MX will usually not know about valid users in the destination domain. Therefore it makes sense for the spammers to deliver mail to the secondary MX, as they can always claim that 100% of the mails have been successfully delivered. Alex.
Re: Spammers Target Secondary MX hosts?
On Friday 18 March 2005 08:17, Alexander Bochmann wrote: ...on Fri, Mar 18, 2005 at 08:52:23AM -0500, Yang Xiao wrote: On Fri, 18 Mar 2005 13:48:46 +, Duncan Hill [EMAIL PROTECTED] wrote: In a large number of cases, the secondary MX is not configured to know the list of valid users etc, and may be configured to pass directly to the internal mail server, bypassing protections on the primary relay. hm...I'd be interested to know what's the percentage is like for this kind of settings just to feed my curiousity, because it totally doesn't make sense to me , it's like settings up a secondary firewall with no blocking rules, what good is it? It shurely doesn't make sense if the secondary MX is under your control, but there are many setups where the ISP or someone else runs a backup MX for his customer's domains as a service. With this configuration, the secondary MX will usually not know about valid users in the destination domain. Therefore it makes sense for the spammers to deliver mail to the secondary MX, as they can always claim that 100% of the mails have been successfully delivered. Alex. That, in fact, is the setup that I am operating and, yes, most of what comes through my secondary MX, at my ISP, is SPAM. Some time ago I implemented a rule that adds a (small) spam score for mail received via my secondary MX. -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
Re: Spammers Target Secondary MX hosts?
--On Friday, March 18, 2005 3:17 PM +0100 Alexander Bochmann [EMAIL PROTECTED] wrote: It shurely doesn't make sense if the secondary MX is under your control, but there are many setups where the ISP or someone else runs a backup MX for his customer's domains as a service. With this configuration, the secondary MX will usually not know about valid users in the destination domain. Therefore it makes sense for the spammers to deliver mail to the secondary MX, as they can always claim that 100% of the mails have been successfully delivered. One possibility is to list your primary again as the tertiary, possibly under a different name and/or IP address. Spammers that deliver in reverse MX order will still end up trying to deliver to your primary first. You could also list a bogus server in IP dark space (ie. an address known to have no listening server) so that the spammer must first check the empty address first. Even better is when there's a host there that drops packets (no TCP reset or ICMP port unreachable reply) to port 25, so that the spammer must time out the TCP connection attempt.
Re: Spammers Target Secondary MX hosts?
Larry Starr wrote: On Friday 18 March 2005 08:17, Alexander Bochmann wrote: there are many setups where the ISP or someone else runs a backup MX for his customer's domains as a service. With this configuration, the secondary MX will usually not know about valid users in the destination domain. That, in fact, is the setup that I am operating and, yes, most of what comes through my secondary MX, at my ISP, is SPAM. Some time ago I implemented a rule that adds a (small) spam score for mail received via my secondary MX. I'm on the flip side of that: we provide secondary MX services for some of our customers, and I've started adding a small bonus score for mail being sent *to* them through our server. I've also added meta-rules to treat certain rules more harshly. The really annoying thing, from our standpoint, is the backscatter we have to process: 1. Spammer sends to secondary MX (us). 2. We filter out some of the more obvious spam (for the most part using our regular criteria). 3. We relay what's left to the primary MX. 4. Primary MX rejects mail to nonexistant users and mail that trips their own spam filters. 5. We generate DSNs that go to third parties or nonexistant hosts, contributing to backscatter and cluttering up our outbound queue. The backscatter becomes a real problem in the legitimate relay situation, because it's basically unavoidable. If the spam is sent directly to you, you can accept it, discard it, or reject it, and it stops. But if you're relaying to someone, and *they* reject it, now you have to decide whether to generate a DSN or not. We've actually set up a separate queue for bounces that aren't delivered immediately, so that it won't bog down normal mail. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Spammers Target Secondary MX hosts?
On Fri, Mar 18, 2005 at 10:24:25AM -0800, Kelson wrote: ... 5. We generate DSNs that go to third parties or nonexistant hosts, contributing to backscatter and cluttering up our outbound queue. ... Even worse, the result of bounces sent by _our_ MTA was being Spamcop-RBLed for hitting spamtraps with those bounces! So being a secondary MX might even disrupt your (own) service, and only the second queue you mentioned might have helped agains that! But we don't have THAT yet. Stucki (bounce-annoyed postmaster) -- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED]\ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459| Fachbereich Mathematik, EDV|\ *|if online|Tel(else):+49 30 77 39 6600| Arnimallee 2-6/14195 Berlin* * |on IRCnet|Fax(alle):+49 30 838-75454/
RE: Spammers Target Secondary MX hosts?
Kelson wrote:
Larry Starr wrote:
On Friday 18 March 2005 08:17, Alexander Bochmann wrote:
there are many setups where
the ISP or someone else runs a backup MX for his
customer's domains as a service. With this configuration,
the secondary MX will usually not know about valid users
in the destination domain.
That, in fact, is the setup that I am operating and, yes, most of
what comes through my secondary MX, at my ISP, is SPAM. Some time
ago I implemented a rule that adds a (small) spam score for mail
received via my secondary MX.
I'm on the flip side of that: we provide secondary MX services for
some of our customers, and I've started adding a small bonus score
for mail being sent *to* them through our server. I've also added
meta-rules to treat certain rules more harshly.
The really annoying thing, from our standpoint, is the backscatter we
have to process:
1. Spammer sends to secondary MX (us).
2. We filter out some of the more obvious spam (for the most part
using our regular criteria).
3. We relay what's left to the primary MX.
4. Primary MX rejects mail to nonexistant users and mail that trips
their own spam filters.
5. We generate DSNs that go to third parties or nonexistant hosts,
contributing to backscatter and cluttering up our outbound queue.
The backscatter becomes a real problem in the legitimate relay
situation, because it's basically unavoidable. If the spam is sent
directly to you, you can accept it, discard it, or reject it, and it
stops. But if you're relaying to someone, and *they* reject it, now
you have to decide whether to generate a DSN or not. We've actually
set up a separate queue for bounces that aren't delivered
immediately, so that it won't bog down normal mail.
Two solutions occur to me:
1) Allow a way for the secondary MX to tell whether the primary MX is up - if
it is, don't accept any connections
2) Allow a way for the secondary MX to tell what email addresses on the primary
MX are valid (LDAP occurs to me)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: Spammers Target Secondary MX hosts?
...on Fri, Mar 18, 2005 at 10:24:25AM -0800, Kelson wrote: The backscatter becomes a real problem in the legitimate relay situation, because it's basically unavoidable. If the spam is sent directly to you, you can accept it, discard it, or reject it, and it stops. But if you're relaying to someone, and *they* reject it, now you have to decide whether to generate a DSN or not. We've actually set up When I was in that situation, my solution turned out to be milter-ahead, http://www.milter.info/milter-ahead/index.shtml but that won't help you if you're not running sendmail :) Alex.
Re: Spammers Target Secondary MX hosts?
--On Friday, March 18, 2005 10:24 AM -0800 Kelson [EMAIL PROTECTED] wrote: But if you're relaying to someone, and *they* reject it, now you have to decide whether to generate a DSN or not. Using MIMEDefang I don't reject for mail relayed from my secondary: http://www.mimedefang.org/kwiki/index.cgi?CheckForMX
Re: Spammers Target Secondary MX hosts?
... | One possibility is to list your primary again as the tertiary, possibly | under a different name and/or IP address. Spammers that deliver in reverse | MX order will still end up trying to deliver to your primary first. I tried this and it resulted in mail loops when one of the servers was down. I like the suggestion below better. | You could also list a bogus server in IP dark space (ie. an address known | to have no listening server) so that the spammer must first check the empty | address first. Even better is when there's a host there that drops packets | (no TCP reset or ICMP port unreachable reply) to port 25, so that the | spammer must time out the TCP connection attempt. | | Be very careful if the dark space is not under your control. Using a reserved address will get you a rfci listing, using somebody else's address in the US is fraud (of course IANAL). If you do have the space, the best thing is probably to setup a *very* slow server, that always gives a 4xx at the end of the conversation and preferably is doing greylisting too (look at the program from OpenBSD or NetBSD unfortunately also called spamd - part of pf). Paul Shupak [EMAIL PROTECTED]
