You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/06/15 09:19:19 UTC

Innovative Host Blacklisting Idea

I'm trying out a new idea for blacklisting hosts. I have several email 
servers for processing spam. These servers service my lowered numbered 
MX records. I also have several dummy mx records that are higher 
numbered than my real servers. So in theory no one should ever hit the 
higher numbered servers. Especially when the IP addresses are on the 
same server as the lower numbered MX.

But as most of you know spammers don't play by the rules and they try 
hitting the higher MX records first thinking there's less spam filtering 
there. So what I'm doing is counting hits by IP address. At the moment 
they have to hit it 75 times to get blacklisted. And it's all spammers 
and spam bots.

Who thinks this is interesting?

Re: Innovative Host Blacklisting Idea

Posted by Marc Perkel <ma...@perkel.com>.


Raymond Dijkxhoorn wrote:
> Hi!
>
>> servers for processing spam. These servers service my lowered 
>> numbered MX records. I also have several dummy mx records that are 
>> higher numbered than my real servers. So in theory no one should ever 
>> hit the higher numbered servers. Especially when the IP addresses are 
>> on the same server as the lower numbered MX.
>>
>> But as most of you know spammers don't play by the rules and they try 
>> hitting the higher MX records first thinking there's less spam 
>> filtering there. So what I'm doing is counting hits by IP address. At 
>> the moment they have to hit it 75 times to get blacklisted. And it's 
>> all spammers and spam bots.
>>
>> Who thinks this is interesting?
>
> Yeah really cool idea, if your smtp is too busy to accept connections 
> and people start sending on your second ip, they get blacklisted after 
> some time, really cute. Since you dont accept there either.
>
> I think its a stupid idea!
>
>

I have several servers on several lower numbered MX records and this is 
on the same computer as my lowest mx. If the load levels get high it 
quits recording hits.

Re: Innovative Host Blacklisting Idea

Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.

Hi!

> servers for processing spam. These servers service my lowered numbered MX 
> records. I also have several dummy mx records that are higher numbered than 
> my real servers. So in theory no one should ever hit the higher numbered 
> servers. Especially when the IP addresses are on the same server as the lower 
> numbered MX.
>
> But as most of you know spammers don't play by the rules and they try hitting 
> the higher MX records first thinking there's less spam filtering there. So 
> what I'm doing is counting hits by IP address. At the moment they have to hit 
> it 75 times to get blacklisted. And it's all spammers and spam bots.
>
> Who thinks this is interesting?

Yeah really cool idea, if your smtp is too busy to accept connections and 
people start sending on your second ip, they get blacklisted after some 
time, really cute. Since you dont accept there either.

I think its a stupid idea!

Bye,
Raymond.

Re: Innovative Host Blacklisting Idea

Posted by Bob Proulx <bo...@proulx.com>.

Marc Perkel wrote:
> I'm trying out a new idea for blacklisting hosts. I have several email 
> servers for processing spam. These servers service my lowered numbered 
> MX records. I also have several dummy mx records that are higher 
> numbered than my real servers. So in theory no one should ever hit the 
> higher numbered servers. Especially when the IP addresses are on the 
> same server as the lower numbered MX.
> 
> But as most of you know spammers don't play by the rules and they try 
> hitting the higher MX records first thinking there's less spam filtering 
> there. So what I'm doing is counting hits by IP address. At the moment 
> they have to hit it 75 times to get blacklisted. And it's all spammers 
> and spam bots.
> 
> Who thinks this is interesting?

When it works I think it will work great.  That is what you are seeing
right now while setting this up and monitoring it.  In this time it is
hard to imagine it not working right.  I expect you to have great
statistics from it.

However the real problem is handling problems in the automated system
when things do not work right.  It is handling 100% of the time all of
the problem cases that might arise.  But thinking about problems and
simulating problems is hard.  The real world is very much more
inventive and tireless in producing unexpected corner cases.  Even if
statistically the occurrence is very low these things can cause severe
distress to us and so we are going to be very cautious of this type of
approach.

Bob

Re: Innovative Host Blacklisting Idea

Posted by Marc Perkel <ma...@perkel.com>.

Daryl C. W. O'Shea wrote:
> Marc Perkel wrote:
>> I'm trying out a new idea for blacklisting hosts. I have several 
>> email servers for processing spam. These servers service my lowered 
>> numbered MX records. I also have several dummy mx records that are 
>> higher numbered than my real servers. So in theory no one should ever 
>> hit the higher numbered servers. Especially when the IP addresses are 
>> on the same server as the lower numbered MX.
>
> Nobody except for users of Domino, Blackberry, and who knows how many 
> other business mail platforms that send mail to whatever MX they feel 
> like.
>
>
>> Who thinks this is interesting?
>
> Apparently you do.  Sorry Marc, couldn't resist. :)  This is pretty 
> old news though.  You've even brought it up yourself at least once, 
> but probably five times, before.
>
>

I've brought up the idea of using high numbered fake MX records several 
times and it's very effective. What's new here is that I'm powering my 
public hostkarma blacklist database in part by the IP addresses that 
make multiple attempts to send email to high numbers mx records when low 
numbered mx records are available. In the last 7 hours I get 145000 hits 
that I've recorded. And checking the dnsstuff lookup a lot of these IP 
addresses aren't listed with anyone but me.

Re: Innovative Host Blacklisting Idea

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Marc Perkel wrote:
> I'm trying out a new idea for blacklisting hosts. I have several email 
> servers for processing spam. These servers service my lowered numbered 
> MX records. I also have several dummy mx records that are higher 
> numbered than my real servers. So in theory no one should ever hit the 
> higher numbered servers. Especially when the IP addresses are on the 
> same server as the lower numbered MX.

Nobody except for users of Domino, Blackberry, and who knows how many 
other business mail platforms that send mail to whatever MX they feel like.

> Who thinks this is interesting?

Apparently you do.  Sorry Marc, couldn't resist. :)  This is pretty old 
news though.  You've even brought it up yourself at least once, but 
probably five times, before.

Daryl