Fake MX

[Matt <lm...@gmail.com>]

Anyone using the Fake MX trick?

http://www.webhostingtalk.com/wiki/Fake_MX

Is it safe to use a fake high and low mx?

Re: Fake MX

[Raul Dias <ra...@dias.com.br>]

  I use to do this and it was fine.
No problem in the low mx and just added points to the high mx in SA.

It did help a little.

A while ago I had to disable it because some major ISPs in Brazil start 
to block me out because of this setup.

-rsd

On 12/08/2010 03:32 PM, Matt wrote:
> Anyone using the Fake MX trick?
>
> http://www.webhostingtalk.com/wiki/Fake_MX
>
> Is it safe to use a fake high and low mx?
>

Re: Fake MX

[Franz Schwartau <fr...@electromail.org>]

Hi Matt!

On 08.12.2010 18:33, Matt wrote:
> Anyone using the Fake MX trick?
> 
> http://www.webhostingtalk.com/wiki/Fake_MX
> 
> Is it safe to use a fake high and low mx?

The term Fake MX doesn't seem to be used consistently. We are using a
Fake MX, which responds a temporary error to every e-mail. At the high
end there is no problem with this setup but on the low end we
experienced problems with certain mailers. So we listed a so called Null
MX on the low end. This is a connected ip address with the smtp port
closed. This is prefered to a unconnected/unrouted ip address.

To sum it up:

MX 10	nullmx.domain.com.
MX 20	mail.domain.com.	<-- the real smtp server
MX 30	fakemx.domain.com.

As a matter of fact there is no smtp log on the Null MX. So it is
sometimes hard to debug e-mail problems.

	Best regards
		Franz

Re: Fake MX

[Bowie Bailey <Bo...@BUC.com>]

On 12/8/2010 12:33 PM, Matt wrote:
> Anyone using the Fake MX trick?
>
> http://www.webhostingtalk.com/wiki/Fake_MX
>
> Is it safe to use a fake high and low mx?

Putting a non-responsive MX at the high end is fine.  I've been doing
that for years ever since I disabled my backup MX and just left the
entry there.

Using a non-responsive MX on the low end is debatable (and IIRC, it has
been debated here).  While it should be fine in theory, I think there
may be some MTAs that don't respond well to this.

-- 
Bowie

Re: Fake MX

[Jon Trulson <jo...@radscan.com>]

On Wed, 8 Dec 2010, Matt wrote:

> Anyone using the Fake MX trick?
>
> http://www.webhostingtalk.com/wiki/Fake_MX
>
> Is it safe to use a fake high and low mx?
>

   At my last company, I found it very useful to setup the high MX's to
   use a greylist.  I would not use a low MX for this.

   It was very effective at inhibiting spam -- nearly 70% of inbound
   spam hit the greylist first.  Of that, very little (maybe 2-3%) ever
   retried, and therefore made it past the greylisting host.

   In addition to screening out a lot of crap right off the bat, it
   reduced the load on SA considerably.

   I highly recommend it.  But again, not the low MX.  You'd be playing
   with fire there.

-- 
Jon Trulson                      | A828 C19D A087 F20B DFED
mailto:jon@radscan.com           | 67C9 6F32 31AB E647 B345

"What can be asserted without evidence, can also be dismissed
  without evidence."  -- Christopher Hitchens

Re: Fake MX

["David F. Skoll" <df...@roaringpenguin.com>]

On Wed, 08 Dec 2010 15:52:37 -0800
Marc Perkel <su...@junkemailfilter.com> wrote:

> For those who want to try the Fake MX trick you can set your highest
> MX to tarbaby.junkemailfilter.com.

Sure.  I'll publish an MX record potentially sending my domain's mail
to a machine I don't control... not.

-- David.

Re: Fake MX

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2010-12-08 at 15:52 -0800, Marc Perkel wrote:
> For those who want to try the Fake MX trick you can set your highest MX 
> to tarbaby.junkemailfilter.com. I'm harvesting spambot data for my black 
> list. It's a free way to get rid of some spam and punish the spammers.

Marc, we've gone through this before, haven't we?

For the last time -- I do NOT want you to advertise that service like
this. Your post doesn't even explain any critical details. Let alone
mention any of the long threads discussing the downsides and advise
against it.

Next time, I will consider it unsolicited advertising.

  guenther  -- list moderator


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: Fake MX

["Rosenbaum, Larry M." <ro...@ornl.gov>]

> From: Bob Proulx [mailto:bob@proulx.com]
> Subject: Re: Fake MX
> 
> > > [...] but that is distinct from being a tarpit, which is what
> > > I'm trying to clarify.
> >
> > A discussion around the definition of tarpit, and why tarbaby might be a
> > suboptimal, though catchy, name?
> 
> For the record a "tarbaby":
> 
>   http://en.wikipedia.org/wiki/Tar_baby
> 
> is something different from a "tarpit":
> 
>   http://en.wikipedia.org/wiki/Tarpit_%28networking%29
> 
> Please, let's use the correct terminology.  They really are pretty far
> from being interchangeable.

I wonder if the OP was really referring to a "honeypot"?

Re: Fake MX

[Bob Proulx <bo...@proulx.com>]

> > [...] but that is distinct from being a tarpit, which is what 
> > I'm trying to clarify.
> 
> A discussion around the definition of tarpit, and why tarbaby might be a
> suboptimal, though catchy, name?

For the record a "tarbaby":

  http://en.wikipedia.org/wiki/Tar_baby

is something different from a "tarpit":

  http://en.wikipedia.org/wiki/Tarpit_%28networking%29

Please, let's use the correct terminology.  They really are pretty far
from being interchangeable.

Bob

Re: Fake MX

[Karsten Bräckelmann <gu...@rudersport.de>]

On Fri, 2010-12-10 at 09:13 -0800, John Hardin wrote:
> On Fri, 10 Dec 2010, Marc Perkel wrote:

> [...] but that is distinct from being a tarpit, which is what 
> I'm trying to clarify.
> 
> Karsten, is this OT enough to be squelched?

A discussion around the definition of tarpit, and why tarbaby might be a
suboptimal, though catchy, name?

Guess so.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Fake MX

[John Hardin <jh...@impsec.org>]

On Fri, 10 Dec 2010, Marc Perkel wrote:

> On 12/8/2010 6:26 PM, John Hardin wrote:
>>  On Wed, 8 Dec 2010, Marc Perkel wrote:
>> 
>> >  Hitting the tarbaby server by itself doesn't get you listed. I have 
>> >  ways of detecting spambots only.
>>
>>  "tarbaby" has a very different connotation: that it is a TCP or SMTP
>>  tarpit. This will make people nervous to use it.
>
> It's not just a tarpit.

"It's not _just_ a tarpit"? Is it a tarpit _at all_? Do you understand 
exactly what is meant by the term "tarpit"?

If it _is_ a tarpit, no sane admin would put it as _any_ of their MXs...

> It builds the hostkarma blacklist.

I'm aware of that, but that is distinct from being a tarpit, which is what 
I'm trying to clarify.

Karsten, is this OT enough to be squelched?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Where are my space habitats? Where is my flying car?
   It's 2010 and all I got from the SF books of my youth is
   the lousy dystopian government.                         -- perlhaqr
-----------------------------------------------------------------------
  5 days until Bill of Rights day

Re: Fake MX

[Marc Perkel <su...@junkemailfilter.com>]

On 12/8/2010 6:26 PM, John Hardin wrote:
> On Wed, 8 Dec 2010, Marc Perkel wrote:
>
>> Hitting the tarbaby server by itself doesn't get you listed. I have 
>> ways of detecting spambots only.
>
> "tarbaby" has a very different connotation: that it is a TCP or SMTP 
> tarpit. This will make people nervous to use it.
>

It's not just a tarpit. It builds the hostkarma blacklist. I'm not going 
to give up it's secrets but I can detect spam bots with high accuracy 
and my blacklist is highly accurate.

-- 
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Fake MX

[John Hardin <jh...@impsec.org>]

On Wed, 8 Dec 2010, Marc Perkel wrote:

> Hitting the tarbaby server by itself doesn't get you listed. I have ways 
> of detecting spambots only.

"tarbaby" has a very different connotation: that it is a TCP or SMTP 
tarpit. This will make people nervous to use it.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Perfect Security and Absolute Safety are unattainable; beware
   those who would try to sell them to you, regardless of the cost,
   for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
  7 days until Bill of Rights day

Re: Fake MX

[Marc Perkel <su...@junkemailfilter.com>]

Hitting the tarbaby server by itself doesn't get you listed. I have ways 
of detecting spambots only.

On 12/8/2010 4:02 PM, Michael Scheidell wrote:
> On 12/8/10 6:52 PM, Marc Perkel wrote:
>> punish the spammers. 
> and, punish any senders who follow the RFC's.
>
>
>
>

-- 
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Fake MX

[Michael Scheidell <mi...@secnap.com>]

On 12/8/10 6:52 PM, Marc Perkel wrote:
> punish the spammers. 
and, punish any senders who follow the RFC's.




-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  

Re: Fake MX

[Marc Perkel <su...@junkemailfilter.com>]

On 12/8/2010 12:34 PM, Chris Owen wrote:
> On Dec 8, 2010, at 2:29 PM, Marc Perkel wrote:
>
>> Virus bots tend to hit all MX records, perhaps randomly. I get millions of hits every day on the highest numbered MX when there are at least 2 and sometimes as many as 7 lower numbered MX records.
> We too very often see spammers hit the highest MXs first.   I think the theory is that spam controls on those might be less.    A theory that is probably valid much of the time.
>
> The other thing we see that always amazes me is that if we have MXs that are all the same weight, the ones that have the lowest reverse DNS host name get hit higher.
>
> So for use we use inbound1 through inbound4 as the host names.   All four have the same MX weight.   DNS gives out the names in random order when you look up the MX records.   Yet inbound1 gets hit almost twice as much as inbound2 and inbound 2 is almost twice what inbound4 is.
>
> I really have no idea how much less why this happens.  It is sort of frustrating though as it leads to load imbalances.
>
> Chris
>

For those who want to try the Fake MX trick you can set your highest MX 
to tarbaby.junkemailfilter.com. I'm harvesting spambot data for my black 
list. It's a free way to get rid of some spam and punish the spammers.

-- 
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Fake MX

[Jason Haar <Ja...@trimble.co.nz>]

On 12/09/2010 09:34 AM, Chris Owen wrote:
> The other thing we see that always amazes me is that if we have MXs that are all the same weight, the ones that have the lowest reverse DNS host name get hit higher.
>
We merge identical-weighted MX records into one and round-robin the
mailserver DNS name instead - that seems to fix that problem

ie

mx 0 mail1
mx 0 mail2

becomes

mx 0 mail
...and "mail" maps to the IPs of mail1 and mail2

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Fake MX

[Martes G Wigglesworth <ma...@mgwigglesworth.net>]

On 12/08/2010 03:34 PM, Chris Owen wrote:
> he other thing we see that always amazes me is that if we have MXs that are all the same weight, the ones that have the lowest reverse DNS host name get hit higher.
> I really have no idea how much less why this happens.  It is sort of frustrating though as it leads to load imbalances.
Could this functionality of the spam bot be due to the algorithm using a 
dictionary type of data set manipulation where they gather the data, and 
then alphabetize the names and start hitting them first?

That is the first think that comes to mind when I see the two responses 
above. (Just coming from a programmatic approach to the assumptions of 
the functionality of such mechanisms.)

-- 
Respectfully,


Martes G Wigglesworth
M. G. Wigglesworth Holdings, LLC
www.mgwigglesworth.net

Re: Fake MX

[Chris Owen <ow...@hubris.net>]

On Dec 8, 2010, at 2:29 PM, Marc Perkel wrote:

> Virus bots tend to hit all MX records, perhaps randomly. I get millions of hits every day on the highest numbered MX when there are at least 2 and sometimes as many as 7 lower numbered MX records.

We too very often see spammers hit the highest MXs first.   I think the theory is that spam controls on those might be less.    A theory that is probably valid much of the time.

The other thing we see that always amazes me is that if we have MXs that are all the same weight, the ones that have the lowest reverse DNS host name get hit higher.

So for use we use inbound1 through inbound4 as the host names.   All four have the same MX weight.   DNS gives out the names in random order when you look up the MX records.   Yet inbound1 gets hit almost twice as much as inbound2 and inbound 2 is almost twice what inbound4 is.

I really have no idea how much less why this happens.  It is sort of frustrating though as it leads to load imbalances.

Chris

--
-------------------------------------------------------------------------
Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
President          - Wichita     (316) 858-3000 -    A stupidity tax
Hubris Communications Inc      www.hubris.net
-------------------------------------------------------------------------

Re: Fake MX

[Marc Perkel <su...@junkemailfilter.com>]

On 12/8/2010 11:46 AM, John Hardin wrote:
> On Wed, 8 Dec 2010, Toni Mueller wrote:
>
>> I tried the high MX for some time, but in my experience, spammers
>> usually only hit the first two MXes.
>
> I wonder what Marc Perkel's experience in this regard is...
>

Virus bots tend to hit all MX records, perhaps randomly. I get millions 
of hits every day on the highest numbered MX when there are at least 2 
and sometimes as many as 7 lower numbered MX records.

-- 
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Fake MX

[Michael Scheidell <mi...@secnap.com>]

On 12/8/10 2:46 PM, John Hardin wrote:
> On Wed, 8 Dec 2010, Toni Mueller wrote:
>
>> I tried the high MX for some time, but in my experience, spammers
>> usually only hit the first two MXes.
>
> I wonder what Marc Perkel's experience in this regard is...
>
You just had to stir up the ants.


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  

Re: Fake MX

[John Hardin <jh...@impsec.org>]

On Wed, 8 Dec 2010, Toni Mueller wrote:

> I tried the high MX for some time, but in my experience, spammers
> usually only hit the first two MXes.

I wonder what Marc Perkel's experience in this regard is...

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Perfect Security and Absolute Safety are unattainable; beware
   those who would try to sell them to you, regardless of the cost,
   for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
  7 days until Bill of Rights day

Re: Fake MX

[Michelle Konzack <li...@tamay-dogan.net>]

Hello Toni Mueller,

Am 2010-12-08 19:06:43, hacktest Du folgendes herunter:
> I tried the high MX for some time, but in my experience, spammers
> usually only hit the first two MXes.

I do not have this experience.

> So if you were using the high and
> low MX, you should imho have no reasonable benefit, because the
> second-lowest MX would be real, thus buying you no relief, and the
> third (or higher) MX will only get little traffic, thus also not
> contributing much to your relief.

I use byside the normal mail server two MX and where the latest was  not
existant.  Then I become courious whats cominginto the last MX and  have
setup a Mailserver only to catch it...

Gotten a 1/2 mio spams per day without a singel false-positive.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack

-- 
##################### Debian GNU/Linux Consultant ######################
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL       itsystems@tdnet UG (limited liability)
Owner Michelle Konzack            Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz                 Kinzigstraße 17
67100 Strasbourg/France           77694 Kehl/Germany
Tel: +33-6-61925193 mobil         Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

<http://www.itsystems.tamay-dogan.net/>  <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/>         <http://www.can4linux.org/>

Jabber linux4michelle@jabber.ccc.de
ICQ    #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/

Re: Fake MX

[Toni Mueller <su...@oeko.net>]

On Wed, 08.12.2010 at 11:33:11 -0600, Matt <lm...@gmail.com> wrote:
> Anyone using the Fake MX trick?
> http://www.webhostingtalk.com/wiki/Fake_MX
> Is it safe to use a fake high and low mx?

I tried the high MX for some time, but in my experience, spammers
usually only hit the first two MXes. So if you were using the high and
low MX, you should imho have no reasonable benefit, because the
second-lowest MX would be real, thus buying you no relief, and the
third (or higher) MX will only get little traffic, thus also not
contributing much to your relief.


Just my 0.02 cents.


Kind regards,
--Toni++