You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kevin Peuhkurinen <ke...@meridiancu.ca> on 2005/05/02 13:48:40 UTC
Observation on secondary MX
About a month ago, there was a discussion on the list about how spammers
specifically target secondary MX records. After reading I verified
that indeed 99% of the mail that flowed through my store-and-forward
secondary mail server was spam. So, I removed the second MX record
from my DNS zone, but did not actually decommission the server itself.
The interesting thing is that now, about a month later, I'm still seeing
spam going to that server! I wonder if the spammers have cached the
old MX entry or if they have some database of mail server addresses and
what domains they will accept email for.
Re: Observation on secondary MX
Posted by Rick Macdougall <ri...@nougen.com>.
Jeff Chan wrote:
> On Monday, May 2, 2005, 4:54:10 AM, Niek Niek wrote:
>
>>On 5/2/2005 1:48 PM +0200, Kevin Peuhkurinen wrote:
>>
>>>spam going to that server! I wonder if the spammers have cached the
>>>old MX entry
>
>
>>Jup.
>
>
>>Niek
>
>
> And spam through our real backup MX did die down when I added a
> fake second backup MX (third MX record), but after a while spam
> levels to the real backup MX seemed to come back up.
>
> Gonna try postgrey methinks:
>
> http://isg.ee.ethz.ch/tools/postgrey/
>
> Jeff C.
Hi Jeff,
I implemented greylisting on our Qmail servers (I believe the code was
based on postgrey) and my spam dropped from 100-200 a day to 5 or 6 a week.
Please note that you are going to have to whitelist certain servers that
bounce email back to the recipient on a 421 - try again later soft error
and you may want to white list certain IP ranges like yahoo groups etc.
Apparently, some banks and other large operations are still using older
NT exchange and Novell email servers that erroneously bounce messages
instead of trying again on a 421 soft error.
If you'd like my white list, just ask. I'm also working on a per user
greylist OFF feature (actually it's done, I just have to code the web
page for the users to enable it), as I've had a lot of requests to turn
off greylisting for certain users (reporters, doctors etc, what we've
done to this point in un-greylist the entire domain but that's not
always acceptable to the client).
Regards,
Rick
Re: Observation on secondary MX
Posted by Jeff Chan <je...@surbl.org>.
On Monday, May 2, 2005, 4:54:10 AM, Niek Niek wrote:
> On 5/2/2005 1:48 PM +0200, Kevin Peuhkurinen wrote:
>> spam going to that server! I wonder if the spammers have cached the
>> old MX entry
> Jup.
> Niek
And spam through our real backup MX did die down when I added a
fake second backup MX (third MX record), but after a while spam
levels to the real backup MX seemed to come back up.
Gonna try postgrey methinks:
http://isg.ee.ethz.ch/tools/postgrey/
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Observation on secondary MX
Posted by Niek <ni...@asbak.coding-slaves.com>.
On 5/2/2005 1:48 PM +0200, Kevin Peuhkurinen wrote:
> spam going to that server! I wonder if the spammers have cached the
> old MX entry
Jup.
Niek
Re: Observation on secondary MX
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Monday, May 02, 2005 7:48 AM -0400 Kevin Peuhkurinen
<ke...@meridiancu.ca> wrote:
> The interesting thing is that now, about a month later, I'm still seeing
> spam going to that server! I wonder if the spammers have cached the old
> MX entry or if they have some database of mail server addresses and what
> domains they will accept email for.
I wonder if that can be exploited by using revolving names for one's mail
servers? Of course, some ISP's (AOL) ignore TTL's on DNS records, so that
might cause a different set of problems. OTOH, if they could be persuaded
to use revolving DNS MX records, they'd have to fix their own servers.