From: (no name) (no email)
Date: Thu Nov 01 2007 - 12:02:31 EDT
On Thu, 1 Nov 2007, Jorey Bump wrote:
>> > Don't let opinion or fringe cases guide you here. Too often, I have to
>> > defend Nolisting against a straw man argument that "this is useless
>> > because spammers will just bypass the primary MX and go to the secondary
>> > instead." Well, *some* do, and I'll deal with them in a later step.
>> > Meanwhile, I've foiled the majority, and I've conserved some of my
>> > resources so they can be used elsewhere.
>>
>> Sure - and I've gone one better and hidden my real MX somewhere between
>> the rejecting ones at the top (which leads to immediate retries to the
>> next MX down, which may or may not do the same thing), and the tarpitting
>> ones at the bottom. And even if a valid MTA gets to the bottom ones
>> through a minor network outage, it'll still eventually time out and roll
>> over to retry from the top after a little while.
>
> I've already ruled this out as a dangerous technique that can result in lost
> mail. It's extremely important that your second MX host is responsive.
That's debatable. Has anyone ever reported existance of a working MTA in
the wild (zombies and spammers don't count) that doesn't try more than
just the top 2 MX-es? My main motivation for putting the 2nd one as the
responding one was that it leaves more IP space for tarpitting after it
and/or reduces the number of IP addresses required for decoying.
>> > Why bother fighting spam that wouldn't exist otherwise? Don't create
>> > unnecessary targets. It's not like there is a finite amount of spam
>> > aimed at a domain that gets thinned out over multiple hosts. Malware is
>> > perfectly capable of generating *more* spam for each MX record. I
>> > haven't seen conclusive evidence the contrary.
>>
>> The fact that the top 1 and bottom 3 MX records see a disproportionately
>> high packet hit rate compared to the valid and accepting real MX is
>> evidence.
>
> But that's not your goal. An increase in volume can create the same results
> without lowering the amount of spam aimed at your functioning MX. While
> conducting your tests, keep in mind that you want your *functioning MX* to
> have a high percentage of ham (with zero false positives), and the lowest
> percentage of spam attainable. You need to prove that your decoys are indeed
> drawing spam away from your functioning MX, and that's difficult to prove
> without an adequate control.
I was hoping to put together some statistics based on that. With 3
MX-es (1st rejecting, 2nd accepting, 3rd tarpitting) I saw a drop in spam
of about 70%. When I added another 2 tarpits at the end, the spam reduced
down to about 1-5% compared to where it was originally. RBLs then got it
down to about 0.1% of where it was originally. But I am positively certain
that there was a difference between 3 and 5 MX-es, even when the bottom 3
out of 5 were just tarpits.
Gordan
|
|
|