Re: Q. about spam directed towards highest MX Record?
John D. Hardin wrote: On Wed, 18 Oct 2006, Jo Rhett wrote: In our experience the mail which goes to 50 without trying 10 is always spam. Any feel for whether or not you're experiencing the same Exchange-related brokenness as an earlier poster mentioned? No. I've seen a lot of Exchange problems, but not that one. I suspect someone was overriding the MX records (which you can do on a per-domain basis in Exchange). I believe that's a myth, but I'm willing to be proved wrong (with evidence) -- Jo Rhett Network/Software Engineer Net Consonance
RE: Q. about spam directed towards highest MX Record?
-Original Message- From: David B Funk [mailto:[EMAIL PROTECTED] Sent: Thursday, October 19, 2006 1:10 AM To: Michael Scheidell Cc: users@spamassassin.apache.org Subject: RE: Q. about spam directed towards highest MX Record? On Wed, 18 Oct 2006, Michael Scheidell wrote: Or, even better, point it at an unused IP on your network. (don't point it at 127.0.0.1, that will get you blacklisted in the rfc-ignorant invalid mx list) They call and say your mail server has been down for days, never accept any of their mail. You check your server logs and say that their server never even tried to connect to any of your servers. ;( Been there, got the Pissed-off-LLuser medal to prove that it can happen. Firewall logs. If that unused ip address isn't allowing port 25 in, the default rule on your firewall should have connection attempts to port 25. (I found blackberry for some reason tries to connect to the last mx. I discussed it with a tech once, they do it on purpose since they said their emails get through more often in the secondary. :-)
Re: Q. about spam directed towards highest MX Record?
Just to clarify here You are talking about doing something like: domain.com 1200 IN MX 10 smtp-1.domain.com domain.com 1200 IN MX50 smtp-2.domain.com You all are saying that most of the spam should be coming in MX 50 right? I have to admit I've tried this, but it seems like mail continues to come into the MX 50 even when the primary servers are available.Is it not correct that the 50 should NOT be tried until the 10 is unavailable? Or do I have that backwards?
Re: Q. about spam directed towards highest MX Record?
| Just to clarify here You are talking about doing something like: | | domain.com 1200 IN MX 10 smtp-1.domain.com | domain.com 1200 IN MX50 smtp-2.domain.com | | You all are saying that most of the spam should be coming in MX 50 right? | | I have to admit I've tried this, but it seems like mail continues to | come into the MX 50 even when the primary servers are available.Is | it not correct that the 50 should NOT be tried until the 10 is | unavailable? Or do I have that backwards? You have it right. Unfortunately, mail still hits the lowest priority server based on my experience even when the Primary is up and running.
Re: Q. about spam directed towards highest MX Record?
wrote: | Just to clarify here You are talking about doing something like: | | domain.com 1200 IN MX 10 smtp-1.domain.com | domain.com 1200 IN MX50 smtp-2.domain.com | | You all are saying that most of the spam should be coming in MX 50 right? | | I have to admit I've tried this, but it seems like mail continues to | come into the MX 50 even when the primary servers are available.Is | it not correct that the 50 should NOT be tried until the 10 is | unavailable? Or do I have that backwards? You have it right. Unfortunately, mail still hits the lowest priority server based on my experience even when the Primary is up and running. Some spammers target the highest MX record because the backup servers usually have less spam filtering than the regular server. What I do is point my highest MX to an IP that returns a 4xx error on everything and I get rid of hundreds of thousands of spams a day without hardly any system load.
Re: Q. about spam directed towards highest MX Record?
Matt wrote: Just to clarify here You are talking about doing something like: domain.com 1200 IN MX 10 smtp-1.domain.com domain.com 1200 IN MX50 smtp-2.domain.com You all are saying that most of the spam should be coming in MX 50 right? No, I'm saying most of the mail coming to the secondary (MX 50) is likely to be spam in situations where the primary (MX 10) is accepting mail. I have to admit I've tried this, but it seems like mail continues to come into the MX 50 even when the primary servers are available.Is it not correct that the 50 should NOT be tried until the 10 is unavailable? Or do I have that backwards? Legitimate mail servers follow the rule you describe; send first to the primary, then to the secondary if the primary is unavailable. However, there's no technical or other requirement that messages first be sent to the primary. Spammers often ignore the primary and send directly to the secondary in hopes that the back door has fewer restrictions. Legitimate mail can show up on the secondary even when the primary is up for reasons like congestion. If the primary is busy, the sending server may time out and then try the secondary. For that reason, you cannot assume that all mail on the secondary is spam, but a quick review of the logs for the secondary will show that nearly all of it is spam. That's why I give messages arriving at the secondary a high SA score, but not one that is sufficient by itself to tag the message. Peter
RE: Q. about spam directed towards highest MX Record?
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 9:36 AM To: Cc: Matt; Peter H. Lemieux; users@spamassassin.apache.org Subject: Re: Q. about spam directed towards highest MX Record? You have it right. Unfortunately, mail still hits the lowest priority server based on my experience even when the Primary is up and running. Or, even better, point it at an unused IP on your network. (don't point it at 127.0.0.1, that will get you blacklisted in the rfc-ignorant invalid mx list) That way, no bandwidth used except for a tcp syn every now and again.
Re: Q. about spam directed towards highest MX Record?
Matt wrote: Just to clarify here You are talking about doing something like: domain.com 1200 IN MX 10 smtp-1.domain.com domain.com 1200 IN MX50 smtp-2.domain.com You all are saying that most of the spam should be coming in MX 50 right? I have to admit I've tried this, but it seems like mail continues to come into the MX 50 even when the primary servers are available.Is it not correct that the 50 should NOT be tried until the 10 is unavailable? Or do I have that backwards? You have it right. Spammers seem to think the lowest priority MX will have fewer controls. This can work to your advantage. Our lowest MX gets more mail traffic than our highest, but it is 90%+ spam. I have long wait greylisting, account verification, RBLs out the ying yang. The server is an old Sparc 20 running a minimum of smtp listeners. It practically takes a handwritten note from Jesus to get a message delivered through the server. All that traffic is not connecting to my primary mail gateway ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Q. about spam directed towards highest MX Record?
Marc Perkel wrote: wrote: | Just to clarify here You are talking about doing something like: | | domain.com 1200 IN MX 10 smtp-1.domain.com | domain.com 1200 IN MX50 smtp-2.domain.com | | You all are saying that most of the spam should be coming in MX 50 right? | | I have to admit I've tried this, but it seems like mail continues to | come into the MX 50 even when the primary servers are available.Is | it not correct that the 50 should NOT be tried until the 10 is | unavailable? Or do I have that backwards? You have it right. Unfortunately, mail still hits the lowest priority server based on my experience even when the Primary is up and running. Some spammers target the highest MX record because the backup servers usually have less spam filtering than the regular server. What I do is point my highest MX to an IP that returns a 4xx error on everything and I get rid of hundreds of thousands of spams a day without hardly any system load. We tried that and had problems with some clients (the business client not the mail client). Seems a lot of Exchange servers will try the lowest priority MX for some reason, and then never try the highest, just fail. With the current setup a valid message will eventually get through. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Q. about spam directed towards highest MX Record?
We tried that and had problems with some clients (the business client not the mail client). Seems a lot of Exchange servers will try the lowest priority MX for some reason, and then never try the highest, just fail. With the current setup a valid message will eventually get through. DAve Isn't that how it is suppose to work? Try the lowest first?
Re: Q. about spam directed towards highest MX Record?
Matt wrote: We tried that and had problems with some clients (the business client not the mail client). Seems a lot of Exchange servers will try the lowest priority MX for some reason, and then never try the highest, just fail. With the current setup a valid message will eventually get through. DAve Isn't that how it is suppose to work? Try the lowest first? MX 10 and MX 20 are my mailgateways, the lowest MX or the highest priority MX. And MX 30 is my highest MX or my lowest priority MX, and the server that gets the Spam and the Exchange connections. MX 10, often refered to as lowest MX, or highest priority MX. MX 500, often refered to as highest MX, or lowest priority MX. Oh, and lets not forget 'distance', I was once flamed for not knowing it should be called 'distance'. I have been chided/flamed/called ignorant on different maillists for using one or the other to refer to an MX. Now I just mix and match so as to confuse everyone ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Q. about spam directed towards highest MX Record?
In our experience the mail which goes to 50 without trying 10 is always spam. We kept trying to think of a way to reasonably check for this, and allow it through if the lower MX was actually busy... Matt wrote: Just to clarify here You are talking about doing something like: domain.com 1200 IN MX 10 smtp-1.domain.com domain.com 1200 IN MX50 smtp-2.domain.com You all are saying that most of the spam should be coming in MX 50 right? I have to admit I've tried this, but it seems like mail continues to come into the MX 50 even when the primary servers are available.Is it not correct that the 50 should NOT be tried until the 10 is unavailable? Or do I have that backwards? -- Jo Rhett Network/Software Engineer Net Consonance
Re: Q. about spam directed towards highest MX Record?
On Wed, 18 Oct 2006, Jo Rhett wrote: In our experience the mail which goes to 50 without trying 10 is always spam. Any feel for whether or not you're experiencing the same Exchange-related brokenness as an earlier poster mentioned? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 13 days until Halloween
Re: Q. about spam directed towards highest MX Record?
I too get a trickle of legitimate mail going to my higher-numbered server. Many are coming from the central university Exchange server. I suspect what happens is that it gets one try again later and then caches the address of the secondary for a while. Spamassassin is *tagging* over 97% of the email received on our higher-numbered server as spam, and that's without the OCR plugin.(I don't want to play with the scoring on the secondary, because the trickle of legit email *is* important, and it seems like mail from Exchange often picks up a point or so anyway, mostly for HTML oddities)
RE: Q. about spam directed towards highest MX Record?
On Wed, 18 Oct 2006, Michael Scheidell wrote: -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 9:36 AM To: Cc: Matt; Peter H. Lemieux; users@spamassassin.apache.org Subject: Re: Q. about spam directed towards highest MX Record? You have it right. Unfortunately, mail still hits the lowest priority server based on my experience even when the Primary is up and running. Or, even better, point it at an unused IP on your network. (don't point it at 127.0.0.1, that will get you blacklisted in the rfc-ignorant invalid mx list) That way, no bandwidth used except for a tcp syn every now and again. Yes, but... You get no logs or indication when there's trouble from some brain-dead server (Exchange?) which insists upon sending to your highest MX Record. They call and say your mail server has been down for days, never accept any of their mail. You check your server logs and say that their server never even tried to connect to any of your servers. ;( Been there, got the Pissed-off-LLuser medal to prove that it can happen. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Q. about spam directed towards highest MX Record?
Jon Trulson wrote: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. My experience is like Jon's; nearly all mail arriving at the backup MX is spam. Rather than greylisting, I simply score messages higher if they come in through the backup MX. On my systems, where the primary MX is almost never down, I add 3.3 SA points for messages that arrive via the back door. This is routinely one of the most frequently hit rules, right up there with senders without reverse DNS, which gets an equivalent score. Many messages arriving at the back door trip both these rules and thus get marked as spam. This approach doesn't put a great deal of stress on my SA scanner because I block a lot of mail at the SMTP level based on a substantial custom rule list. Peter
Re: Q. about spam directed towards highest MX Record?
On Fri, 29 Sep 2006, Rob McEwen (PowerView Systems) wrote: Jon Trulson said: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. Jon, please tell me, what portion of your overall spams attempt to comes in through this secondary MX compared to all spam that you catch which are headed to your primary MX record. THAT is what I most wanted to know. Sorry, I missed that... It's hard to gauge right now as I've been running this setup for over a year. But, before greylisting was put into effect, I would say nearly 80% of our spam came through the secondary MX - it seemed to be the prefered mode of entry into our network. Most 'dictionary' type spam entered this way as well, since the MX did not have a list of valid users - it's only intended as an emergency backup after all. I highly recommend greylisting for secondary MX systems. :) Thanks! Rob McEwen PowerView Systems -- Jon Trulson mailto:[EMAIL PROTECTED] http://radscan.com/~jon #include std/disclaimer.h No Kill I -Horta
Re: Q. about spam directed towards highest MX Record?
On Fri, September 29, 2006 19:34, Jon Trulson wrote: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. plan: 3 mta, 2 as mx backup open to all, 1 mta only open to YOUR own mx backups (firewalled) make 2 backup mx as dns round robin with one mx record, and the last with one mx to the mailserver now spammmers can play, hehe :-) -- This message was sent using 100% recycled spam mails.
Re: Q. about spam directed towards highest MX Record?
On Wed, 27 Sep 2006, Rob McEwen wrote: (CCing Marc Perkel because I seem to recall him knowing about this) Not that I'd ever outright block based on this one factor alone, but... Does anyone have any stats about what percentage of spam is directed towards the highest MX Record? (that is, where there is more than one MX record?) Also, has anyone ever seen ANY legit mail go to the highest MX record when no mail server failure occurred? Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. -- Jon Trulson mailto:[EMAIL PROTECTED] http://radscan.com/~jon #include std/disclaimer.h No Kill I -Horta
Re: Q. about spam directed towards highest MX Record?
Jon Trulson said: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. Jon, please tell me, what portion of your overall spams attempt to comes in through this secondary MX compared to all spam that you catch which are headed to your primary MX record. THAT is what I most wanted to know. Thanks! Rob McEwen PowerView Systems
Re: Q. about spam directed towards highest MX Record?
Rob McEwen (PowerView Systems) wrote: Jon Trulson said: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. Jon, please tell me, what portion of your overall spams attempt to comes in through this secondary MX compared to all spam that you catch which are headed to your primary MX record. Here are some rough numbers from my systems: Yesterday on the secondary MX: Connections: 24601 Blocked for RBL: 22841 Roughly similar time period on primary MX: Connections:176668 Blocked for RBL: 79994 Delivered: 17168
Re: Q. about spam directed towards highest MX Record?
Rob McEwen wrote: (CCing Marc Perkel because I seem to recall him knowing about this) Not that I'd ever outright block based on this one factor alone, but... Does anyone have any stats about what percentage of spam is directed towards the highest MX Record? (that is, where there is more than one MX record?) Our lowest priority MX is just a store and forward box left over from when backup MXs were useful. We only keep it around because a few (getting fewer) clients say the PC magazine pundits say you need one. So they pay. We do all the normal user validation, greylisting, RBLs, same as our other servers but the spammers insist on using it. Here are the stats for yesterday; total messages total viruses total spam --- 120,242 1,681 106,102 Also, has anyone ever seen ANY legit mail go to the highest MX record when no mail server failure occurred? Just about any MS Exchange server. I have never had a valid message from qmail/Sendmail/Postfix/Exim go to that server. Always Exchange, and generally from a small business with a shrink wrap admin running the mail services. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Q. about spam directed towards highest MX Record?
Also, has anyone ever seen ANY legit mail go to the highest MX record when no mail server failure occurred? I've seen a tiny amount-- little enough that I earlier set my primary to dump any messages received from my tertiary MX into a quarantine folder for my review, but since I got ImageInfo.pm working properly I haven't noticed any spam make it through mail3 unscathed. -- Dave Pooser Cat-Herder-in-Chief Pooserville.com Dogs are what puppies turn into if you don't eat 'em before they go all stringy. --Sgt. Schlock www.schlockmercenary.com
Re: Q. about spam directed towards highest MX Record?
Rob McEwen wrote: (CCing Marc Perkel because I seem to recall him knowing about this) Not that I'd ever outright block based on this one factor alone, but... Does anyone have any stats about what percentage of spam is directed towards the highest MX Record? (that is, where there is more than one MX record?) Also, has anyone ever seen ANY legit mail go to the highest MX record when no mail server failure occurred? I get lots of mail from a number of different Domino servers delivered to my lowest preference MXes. I've always suspected it was something IBM had done to Domino to improve queue performance but I've never looked into it. Daryl