Hugo van der Kooij
hvdkooij at vanderkooij.org
Thu May 29 06:36:25 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Paul Welsh wrote:
| Hi all
| I have read that one way of blocking spam is to use a lowest priority MX
| record that points to a host that doesn't respond to SMTP requests. I've
| seen this idea coined as "nolisting".
| The idea is to block the many spammers who target the lowest priority MX,
| eg, the one with priority 90 rather than 10 as a way of trying to
| anti-spam measures. If the MX with the lowest priority doesn't
| the spammer doesn't try the higher priority MX but just moves on to
| Any thoughts on this idea?
I have been playing with a few options myself and I had a setup like this:
~ MX 10 = real server
~ MX 100 = backup server at other site
~ MX 1000 = real server
Ovver time I also added temporary records adding temporary units in the
flow. (for example: 2 Barracuda's were used a MX5 and MX 1000 while they
were in fact a cluster so they had an identical configuration.)
My observations over the past few years:
~ 1. About 2 years ago most spammers targeted the best MX record.
~ 2. Then all of a sudden a lot of them targeted the worst MX record.
That was the time I added the MX 1000 record.
~ 3. After about 3 months they started to ignore MX priorities and pick
one at random.
~ 4. I have had temporary records there for a few weeks and those are
still targeted sometimes but not as often as the currently listed servers.
So what can we learn from this? That having lots of MX records seem to
result in a distributed load as far as spam is concerned and a
reasonable normal behaviour for normal email. (Almost all traffic is
send to my MX 10 server and some regular messages hit my backup server.)
Having non existing MX servers as primary server will not stop that much
spam but it will anoy the hell ot of regular servers and may result in
lost email at worst and delayed email as a minimum.
Having a few customers with Barracuda clusters out in the filed gives me
the impression that my findings are not exclusive for my own domain but
seem to correspond with the findings for those customers with similar
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the MailScanner