Versions Compared

Old Version 25

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version Current

changes.mady.by.user Bill Cole

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: clarified pitfalls of "no-listing" tactics.

...

No Format
 fake0.example.com   10
 realmx.example.com  20
 fake1.example.com   30

The fake records can either be undefined or can point to dead IP addresses or to should ultimately resolve to real IP addresses with port 25 closed. <b>On  On the lowest numbered MX be sure it's pointed to a closed port</b> because if you just use a temporary error then Qmail, which is not RFC compatible, , not resolving to a real IP address with port 25 CLOSED will cause serious interoperability problems with QMail, which will never move up to the next MX record. If you it point at an unused or unreachable IP to which connection will simply time out, you may cause substantially longer delays than if the connection fails "hard." Pointing the MX to a name that has no A record or an A record that resolves to a generally unreachable IP (e.g., link-local, RFC1918 private, TEST-NET, etc.) can also cause problems with your mail's deliverability, as some sites test for such bogus MX records. 

Fake Lowest MX

The reason for the fake lowest MX record is that where most email is delivered. Real servers will get the error and retry the middle MX and deliver the email with only a few seconds delay. Zombie spam will just move on to the next victim. No good email is lost but a huge amount of spam never makes it into the system at all. This not only reduces spam but also reduces system load as SA doesn't have to process any of this.

...

Email is supposed to be sent to the lowest numbered MX record first with the higher MX records being backup servers. Spammers often with try the highest MX record first thinking that the backup servers have less spam filtering than the main email server. They try the highest MX record and then never come back. So I set my highest MX record to point to an IP address that always returns a temporary "Come Back Later" error.

A real email server will retry and get through. But the spammer will just go away. This trick saves having to process several million messages a day on my servers at JunkEmailFilter.com.

...

No Format
 mail.yourdomain.com  10
 tarbaby.junkemailfilter.com 20

Detail can be found at Project Tarbaby. NOTE WELL: Pointing MX records to systems which you do not control carries a risk of legitimate mail being lost and/or leaked to a 3rd party. 

Greylisting

Instead of a 2nd fake MX you can use greylisting, which returns a temporary "Come Back Later" error for users currently not known. It has the advantage of helping you on the primary MX directly, and rejects about 60% of the connections here. This is because spammers only try to send once, and if there is an error, they drop it. Real mail servers retry later.

...

No Format
FEATURE(`greet_pause', `5000')

postfix Add "sleep <number>" at begining smtpd_client_restrictions in main.cf:

No Format

...
# Sleep 5 seconds for each opening session
smtpd_client_restriction = sleep 5, <other restrictions> 
...

Policy Daemons

Some MTAs such as postfix 2.1 and later can delegate a spam/ham decision to a policy server at any stage, i.e. before DATA or after. Before DATA, i.e. at RCPT TO stage has advances in such, that multirecipient mail remains intact and that it is possible to let the user decide whether or not to use the policy daemon. One example with greylisting, throttling, etc pp would be policyd: http://policyd.sourceforge.net/ another example, which acts like a mini-SpamAssassin but before the content has been received (i.e. at RCPT TO stage) would be policyd-weight: http://www.policyd-weight.org/. Both can drastically reduce your bandwidth and CPU-Cycles and other MTA resources.

See Also

Whois Records

There already exists a plugin to create rules based on country of origin, but this can be a rather blunt tool. http://linuxbox.co.uk/ip-address-whois-database.php contains a (freely available) CSV file mapping netblocks to owner/country. This makes it easy to, for example, match all dialup users from a particular country, all IP blocks belonging to a particular country etc. You can then either score these with Spamassassin, or add them to your firewall.

See Also

Experimental and Theoretical ideas for getting rid of Wiki Markup\[wiki:ExperimentalTheoretical Experimental and Theoretical\] ideas for getting rid of spam.