Slightly OT- nolisting

[Robert Moskowitz]

SInce this is about mail and spam, I thought this might be a good place 
to ask about nolisting:


http://en.wikipedia.org/wiki/Nolisting

I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.

This is really private mailserver for my side consulting business and 
for all the standards and support lists I am on.


I am in the process of building a new server that I hope to launch 
tonight: Redsleeve6 (on 
armv7/Cubietruck)/postfix/dovecot/spamassassin/clamav/amavis-new.


I a friend recommended I use nolisting to reduce the amount of spam 
messages to scan for spam.  I tried the single fake MX record as 
discussed in the wiki.  Port 25 is blocked on the first MX entry. No 
changes in spam received.


So I was told that this simple single MX record may not work.  To have 
TWO fake low value MX records and one high value like:


MX 10 bad.foo.com
MX 20 bad2.foo.com
MX 30 me.foo.com
MX 40 bad3.foo.com

And this did not make any difference in % of spam.  I seem to be 
receiving the same amount.  So either the spammers that know about me 
use realy MTAs or have updated their SMTP to process MX records right.


So is there any experience here with nolisting?

thanks

Re: Slightly OT- nolisting

[Reindl Harald]

Am 20.10.2014 um 14:18 schrieb Robert Moskowitz:

SInce this is about mail and spam, I thought this might be a good place
to ask about nolisting:

http://en.wikipedia.org/wiki/Nolisting

I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.

This is really private mailserver for my side consulting business and
for all the standards and support lists I am on.

I am in the process of building a new server that I hope to launch
tonight: Redsleeve6 (on
armv7/Cubietruck)/postfix/dovecot/spamassassin/clamav/amavis-new.

I a friend recommended I use nolisting to reduce the amount of spam
messages to scan for spam.  I tried the single fake MX record as
discussed in the wiki. Port 25 is blocked on the first MX entry. No
changes in spam received.


that may be the mistake, just reject temporary there

many bots don't retry but if there is no connect the may fall
back on the primary MX in the same second, the other benefit of the temp 
reject is that the bot may think this is greylisting and come back on 
the primary 10 or 15 minutes later


well, within that 10 minutes they chances to be in RBLs is high


So I was told that this simple single MX record may not work.  To have
TWO fake low value MX records and one high value like:

MX 10 bad.foo.com
MX 20 bad2.foo.com
MX 30 me.foo.com
MX 40 bad3.foo.com

And this did not make any difference in % of spam.  I seem to be
receiving the same amount.  So either the spammers that know about me
use realy MTAs or have updated their SMTP to process MX records right.

So is there any experience here with nolisting?


* postscreen
* two ip-addressess
* backup MX for the second
* postscreen_whitelist_interfaces = !, static:all

the stats below are unique IP's

most bots starting on the backup-MX never come back
the ones which come back are mostly catched by RBL's

some big legit senders start also on the backup, hence temp-reject 
because they come back with proper behavior later on the primary


Default-MX: 31400
Honeypot-MX:16906
Honeypot-Only:  14062



signature.asc
Description: OpenPGP digital signature

Re: Slightly OT- nolisting

[jdebert]

On Mon, 20 Oct 2014 08:18:51 -0400
Robert Moskowitz  wrote:

> SInce this is about mail and spam, I thought this might be a good
> place to ask about nolisting:
> 
> http://en.wikipedia.org/wiki/Nolisting
> 
> I get ~ 7000 messages/day on my server, with ~70% getting tagged as
> spam.
> 

You could have no DNS record for your server. It wouldn't matter. Many
botnets don't bother with DNS. They stupidly scan the ip space
sequentially for mail servers. The best thing to do in such a case is
to drop connections from their ip blocks.  

Re: Slightly OT- nolisting

[francis picabia]

On Mon, Oct 20, 2014 at 9:18 AM, Robert Moskowitz 
wrote:

> SInce this is about mail and spam, I thought this might be a good place to
> ask about nolisting:
>
> http://en.wikipedia.org/wiki/Nolisting
>
> I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.
>
> This is really private mailserver for my side consulting business and for
> all the standards and support lists I am on.
>
> I am in the process of building a new server that I hope to launch
> tonight: Redsleeve6 (on armv7/Cubietruck)/postfix/
> dovecot/spamassassin/clamav/amavis-new.
>
> I a friend recommended I use nolisting to reduce the amount of spam
> messages to scan for spam.  I tried the single fake MX record as discussed
> in the wiki.  Port 25 is blocked on the first MX entry. No changes in spam
> received.
>
> So I was told that this simple single MX record may not work.  To have TWO
> fake low value MX records and one high value like:
>
> MX 10 bad.foo.com
> MX 20 bad2.foo.com
> MX 30 me.foo.com
> MX 40 bad3.foo.com
>
> And this did not make any difference in % of spam.  I seem to be receiving
> the same amount.  So either the spammers that know about me use realy MTAs
> or have updated their SMTP to process MX records right.
>
> So is there any experience here with nolisting?
>
> thanks
>
>
>
We ran nolisting set up for a number of years.  It worked about as well
as reverse DNS checks for eliminating spam, without the CPU overhead
of reverse DNS check.  The problem is, this does nothing about spammers
who decide to run a real mailqueue, or abuse someone else's mail server,
which is increasingly the case.

Eventually we implemented a real grey lister, sqlgrey with Postfix.

The results were worthwhile.  The email delivered by our secondary MX fell
from
about 5000 per day down to 200 or so.  It was so alarming I was afraid we
would hear from users on missing mail, but it really was all spam.

Our solution is Postfix with postscreen (eliminates zombies that don't
behave like a mail server), sqlgrey (eliminates systems that don't queue)
amavis with SA and clamav, RBLs like spamhaus, plus SANE security
add ons for clamav.

When I eliminated the nolisting config with all the above in place,
spam and email delivery stats did not increase.

While running with nolisting I think we encountered two sites
running home made mail software which didn't fail over to
the next MX and called us.  Once we explained
why their software failed, they fixed it on their end.

Re: Slightly OT- nolisting

[Dave Warren]

On 2014-10-20 05:18, Robert Moskowitz wrote:
SInce this is about mail and spam, I thought this might be a good 
place to ask about nolisting:


http://en.wikipedia.org/wiki/Nolisting

I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.



I did some experimentation a few weeks ago and found that a nolisting 
style "dead first MX" didn't make anywhere near as much an impact as I 
hoped, while in some cases it did cause delays (although only a few lost 
messages that we could find, and all from small home-grown systems that 
really deserved to feed to a proper mail relay)


What does seem to still work is having a secondary/last dummy MX that 
answers with 4xx, at least at this point. Based on my (definitely 
unscientific) testing, I believe that dumb ratware hits the lower 
priority (highest numbered) MX, smarter ratware either starts at the top 
or hits them all.


For this purpose, I'm currently using junkemailfilter.com's freebie:

MX 997 mxbackup1.junkemailfilter.com.
MX 998 mxbackup2.junkemailfilter.com.

mxbackup1 is a free backup-MX service, mxbackup2 is an "always fails" 
final MX. It's very clever, before accepting mail, it probes your 
server. If your server is up and returns a 2xx or 4xx, it'll return a 
4xx (so it won't accept mail if your server is working, thereby avoiding 
the situation where a backup mail provider opens a hole in your finely 
tuned filters), or if your server returns a 5xx, it will pass on the 5xx.


If your server doesn't respond, they'll 200 and accept the mail, then 
forward it to your higher-numbered MX when you return.


It's a really nice package, plus they use the data they collect to 
improve their service, so it's a win-win. Obviously read their policies 
and ensure you're okay with part of your mail stream passing through a 
third party.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Re: Slightly OT- nolisting

[Matus UHLAR - fantomas]

On 20.10.14 13:00, Dave Warren wrote:

For this purpose, I'm currently using junkemailfilter.com's freebie:

[deleted]
It's a really nice package, plus they use the data they collect to 
improve their service, so it's a win-win. Obviously read their 
policies and ensure you're okay with part of your mail stream passing 
through a third party.


we know about this... Marc Perkel (the owner of junkemailfilter.com) got
blamed here for repeated advertising of his services on this list.
Please do not make the same mistake
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Re: Slightly OT- nolisting

[Gibbs, David]

On 10/20/2014 3:00 PM, Dave Warren wrote:
> I did some experimentation a few weeks ago and found that a nolisting
> style "dead first MX" didn't make anywhere near as much an impact as
> I hoped, while in some cases it did cause delays (although only a few
> lost messages that we could find, and all from small home-grown
> systems that really deserved to feed to a proper mail relay)

There are, apparently, some MTA's that do _not_ use backup MX's properly ... I 
tried using the "Dead first MX" technique and found that some people were 
unable to send me mail because the mail server they were using didn't try the 
next (live) server on my MX list.

david

-- 
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding a metric century (100 km / 62 miles) in the 2015 American Diabetes 
Association's Tour de Cure to raise money for diabetes research, education, 
advocacy, and awareness.  You can make a tax deductible donation to my ride by 
visiting http://email.diabetessucks.net.  My goal is $5500 but any amount is 
appreciated.

See where I get my donations from ... visit 
http://email.diabetessucks.net/mapdonations.php for an interactive map (it's a 
geeky thing).

Re: Slightly OT- nolisting

[Robert Moskowitz]

On 10/20/2014 02:41 PM, francis picabia wrote:



On Mon, Oct 20, 2014 at 9:18 AM, Robert Moskowitz > wrote:


SInce this is about mail and spam, I thought this might be a good
place to ask about nolisting:

http://en.wikipedia.org/wiki/Nolisting

I get ~ 7000 messages/day on my server, with ~70% getting tagged
as spam.

This is really private mailserver for my side consulting business
and for all the standards and support lists I am on.

I am in the process of building a new server that I hope to launch
tonight: Redsleeve6 (on
armv7/Cubietruck)/postfix/dovecot/spamassassin/clamav/amavis-new.

I a friend recommended I use nolisting to reduce the amount of
spam messages to scan for spam.  I tried the single fake MX record
as discussed in the wiki.  Port 25 is blocked on the first MX
entry. No changes in spam received.

So I was told that this simple single MX record may not work.  To
have TWO fake low value MX records and one high value like:

MX 10 bad.foo.com 
MX 20 bad2.foo.com 
MX 30 me.foo.com 
MX 40 bad3.foo.com 

And this did not make any difference in % of spam.  I seem to be
receiving the same amount.  So either the spammers that know about
me use realy MTAs or have updated their SMTP to process MX records
right.

So is there any experience here with nolisting?

thanks



We ran nolisting set up for a number of years.  It worked about as well
as reverse DNS checks for eliminating spam, without the CPU overhead
of reverse DNS check.  The problem is, this does nothing about spammers
who decide to run a real mailqueue, or abuse someone else's mail server,
which is increasingly the case.


First I finally figured out that it is helping some.  Those numbers I 
gave were from logwatch amavis-new messages.  When I look at actual 
postfix message numbers, I get a different picture.  Before nolisting, 
postfix was dealing with 21k messages.  After nolisting it dropped to 
15k.  That is a pretty good improvement, but a lot of messages received 
for amavis-new to pass only 2k messages to user accounts!  So much noise 
out there.  Oh, for those peaceful days when I set up my first server in 
'94...  ;)


As one person pointed out, over the years I have learned so much and 
remembered so little.  All too true.




Eventually we implemented a real grey lister, sqlgrey with Postfix.

The results were worthwhile.  The email delivered by our secondary MX 
fell from

about 5000 per day down to 200 or so.  It was so alarming I was afraid we
would hear from users on missing mail, but it really was all spam.


I will look into these.



Our solution is Postfix with postscreen (eliminates zombies that don't
behave like a mail server), sqlgrey (eliminates systems that don't queue)
amavis with SA and clamav, RBLs like spamhaus, plus SANE security
add ons for clamav.

When I eliminated the nolisting config with all the above in place,
spam and email delivery stats did not increase.

While running with nolisting I think we encountered two sites
running home made mail software which didn't fail over to
the next MX and called us.  Once we explained
why their software failed, they fixed it on their end.



thanks

Re: Slightly OT- nolisting

[Dave Warren]

On 2014-10-21 01:49, Matus UHLAR - fantomas wrote:

we know about this... Marc Perkel (the owner of junkemailfilter.com) got
blamed here for repeated advertising of his services on this list.
Please do not make the same mistake 


I can't help you with that. I'm a satisfied user, have no affiliation 
with them, and have no other incentive to suggest them beyond personal 
experience; the suggestion is directly on-topic with regards to using 
additional MX records servers for spam reduction purposes.


If you're not interested, or if the company or their representatives 
start advertising, take it up with them, I agree that that's likely 
inappropriate if it happens on an ongoing basis, when it's not directly 
being discussed, or after they're advised that they're not welcome. This 
is not the same situation.


Any list owner/moderator is welcome to contact me off-list to discuss 
further.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren