DNS mod that stopped 98% of spam

Posts: 310 · Posted: Tue Apr 28, 2009 2:25 am

Just wanted to share this with everyone. I found an article that discussed adding fake MX records into your DNS as a way to stop spam. It took my client from 150 spam / day down to 4 spam / day. I highly recommend everyone give this a try. I posted the how to on my blog.

http://blog.whitesites.com/Stop-Spam-with-this-DNS-MX-record-trick__633764658986714568_blog.htm

Posts: 192 · Posted: Tue Apr 28, 2009 5:17 pm

Please bare in mind this could cause significant delays for your client's emails depending on the retry time for the sender's mail server. You should probably decrease the number of MX records.

For simplicities sake let's say the remote server's retry policy is set to add 1 hour for each retry. We have a pretty simple equation:

d = (n)1h

d = delay
n = retries
h = hours:

With 7 fake MX records:
+( 0 * 1h)
+( 1 * 1h )
+( 2 * 1h )
+( 3 * 1h )
+( 4 * 1h )
+( 5 * 1h )
+( 6 * 1h )
-------------
Delay total: 21h

That's quite significant for time sensitive documents...

Posts: 310 · Posted: Tue Apr 28, 2009 5:28 pm

Actually it doesn't affect it that much at all

Here is a snippet from the following link
http://wiki.apache.org/spamassassin/OtherTricks

Fake Lowest MX

The reason for the fake lowest MX record is that where most email is delivered. Real servers will get the error and retry the middle MX and deliver the email with only a few seconds delay. Zombie spam will just move on to the next victim. No good email is lost but a huge amount of spam never makes it into the system at all. This not only reduces spam but also reduces system load as SA doesn't have to process any of this.
Fake Highest MX

Email is supposed to be sent to the lowest numbered MX record first with the higher MX records being backup servers. Spammers often with try the highest MX record first thinking that the backup servers have less spam filtering than the main email server. They try the highest MX record and then never come back. So I set my highest MX record to point to an IP address that always returns a temporary "Come Back Later" error.

A real email will retry and get through. But the spammer will just go away. This trick saves having to process several million messages a day on my servers at JunkEmailFilter.com.

Optionally you can add a lot of fake MX records on the top side. Additional fake MX records on the lowest numbers end will cause some additional delay, but on the high end there's no penalty. The reason for additional higher MX records is if spammers start trying random MX records then this give them more dead MX records to try.

fake0.example.com 10
realmx.example.com 20
fake1.example.com 30
fake2.example.com 40
fake3.example.com 50
fake4.example.com 60
fake5.example.com 70

I (Marc Perkel/Junk Email Filter) have now been using this technique for almost 2 years now without any problems. I am now harvesting the data and developing black lists based on hosts that connect ONLY to the highest numbered MX records and do not close the connection with the QUIT command after receiving a 4xx error. The blacklist has grown to over a million entries. The block list is public using our hostkarma list. Go to [WWW] http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists fo SA rules to use this list.

Posts: 192 · Posted: Tue Apr 28, 2009 5:31 pm

Doh, brain fart there ... sometimes I get my priorities mixed up ...

Don't act like you've never done it! Wink

Posts: 310 · Posted: Tue Apr 28, 2009 5:39 pm

yeah, I got them mixed up too, had to go back and correct my blog. Works like a champ. Highly recommend this. **** if HMS did this to all their client's domains by default they would see a huge reduction in spam, and it would free up the mail server's resources.