On Wed, 2007-08-29 at 10:23 -0700, Marc Perkel wrote: > As some of you know I get rid of a lot of spam using fake high numbered > MX records. I'm now doing some interesting experiments. Even though my > TTL is only 2 hours I notice that if I change my fake high MX to > different fake high MX that the spam zombies still send email to the old > fake MX records for many days, sometimes weeks.
In the olden days, when AOL used to be a Really Big Player (!), there were many uncorroborated and persistent rumours that they (and several other large ISPs) used to deliberately ignore DNS zone and resource TTls, and forced them to be much longer than the zone administrators intended. I say "uncorroborated" because even in the mists of NANOG, few people can actually provide hard details that this was the case from the inside of those organisations - most of the evidence is from external observation. > My theort is that spam zombies do DNS caching so as to maximize spam > output by eliminating dns lookups. Thus zombies retain old information > far longer than they are supposed to. A technique used in the days of the old "millions CD" methods of propagating spam lists was to keep a corresponding MX history file whereby a domain's entire MX history, DNS names and IP addresses, was kept and tried repeatedly. This caused odd events where a mail server would buckle under the load of spam it didn't even handle. Again, this is now in the mists of history... > So I'm experimenting with a blaclisting trick where I change my fake > high MX records, wait several hours, and then anything that hits the old > fake MX records are spam zombies. > > Thoughts? I'm reminded of the joke about the engineer, the physicist and the mathematician on a train journey through a strange land. The engineer spots a black sheep: E: All sheep in this country are black. P: One sheep in this country is black. M: One side of one sheep in that field in this country is black. You simply cannot assume that any attempts to connect using your old MX address are spam zombies. Many may be, but some will not. Some may be legitimate messages affected by the observed behaviour of some caching nameservers. Can you afford to drop them? Also, have you read about fast flux? Take care not to make your domain look like a fast fluxer (in DNS terms) as you may fall foul of other antispam operators too. You wouldn't want that again, would you? Graeme -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
