You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Kevin Peuhkurinen <ke...@meridiancu.ca> on 2005/05/02 13:48:40 UTC

Observation on secondary MX

About a month ago, there was a discussion on the list about how spammers 
specifically target secondary MX records.   After reading I verified 
that indeed 99% of the mail that flowed through my store-and-forward 
secondary mail server was spam.   So, I removed the second MX record 
from my DNS zone, but did not actually decommission the server itself.

The interesting thing is that now, about a month later, I'm still seeing 
spam going to that server!   I wonder if the spammers have cached the 
old MX entry or if they have some database of mail server addresses and 
what domains they will accept email for.

Re: Observation on secondary MX

Posted by Rick Macdougall <ri...@nougen.com>.

Jeff Chan wrote:
> On Monday, May 2, 2005, 4:54:10 AM, Niek Niek wrote:
> 
>>On 5/2/2005 1:48 PM +0200, Kevin Peuhkurinen wrote:
>>
>>>spam going to that server!   I wonder if the spammers have cached the 
>>>old MX entry
> 
> 
>>Jup.
> 
> 
>>Niek
> 
> 
> And spam through our real backup MX did die down when I added a
> fake second backup MX (third MX record), but after a while spam
> levels to the real backup MX seemed to come back up.
> 
> Gonna try postgrey methinks:
> 
>   http://isg.ee.ethz.ch/tools/postgrey/
> 
> Jeff C.

Hi Jeff,

I implemented greylisting on our Qmail servers (I believe the code was 
based on postgrey) and my spam dropped from 100-200 a day to 5 or 6 a week.

Please note that you are going to have to whitelist certain servers that 
bounce email back to the recipient on a 421 - try again later soft error 
and you may want to white list certain IP ranges like yahoo groups etc.

Apparently, some banks and other large operations are still using older 
NT exchange and Novell email servers that erroneously bounce messages 
instead of trying again on a 421 soft error.

If you'd like my white list, just ask.  I'm also working on a per user 
greylist OFF feature (actually it's done, I just have to code the web 
page for the users to enable it), as I've had a lot of requests to turn 
off greylisting for certain users (reporters, doctors etc, what we've 
done to this point in un-greylist the entire domain but that's not 
always acceptable to the client).

Regards,

Rick

Re: Observation on secondary MX

Posted by Jeff Chan <je...@surbl.org>.

On Monday, May 2, 2005, 4:54:10 AM, Niek Niek wrote:
> On 5/2/2005 1:48 PM +0200, Kevin Peuhkurinen wrote:
>> spam going to that server!   I wonder if the spammers have cached the 
>> old MX entry

> Jup.

> Niek

And spam through our real backup MX did die down when I added a
fake second backup MX (third MX record), but after a while spam
levels to the real backup MX seemed to come back up.

Gonna try postgrey methinks:

  http://isg.ee.ethz.ch/tools/postgrey/

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Observation on secondary MX

Posted by Niek <ni...@asbak.coding-slaves.com>.

On 5/2/2005 1:48 PM +0200, Kevin Peuhkurinen wrote:
> spam going to that server!   I wonder if the spammers have cached the 
> old MX entry

Jup.

Niek

Re: Observation on secondary MX

Posted by Kenneth Porter <sh...@sewingwitch.com>.

--On Monday, May 02, 2005 7:48 AM -0400 Kevin Peuhkurinen 
<ke...@meridiancu.ca> wrote:

> The interesting thing is that now, about a month later, I'm still seeing
> spam going to that server!   I wonder if the spammers have cached the old
> MX entry or if they have some database of mail server addresses and what
> domains they will accept email for.

I wonder if that can be exploited by using revolving names for one's mail 
servers? Of course, some ISP's (AOL) ignore TTL's on DNS records, so that 
might cause a different set of problems. OTOH, if they could be persuaded 
to use revolving DNS MX records, they'd have to fix their own servers.