On 8/27/07, Marc Perkel <[EMAIL PROTECTED]> wrote: > > > > Andy Sutton wrote: > > On Mon, 2007-08-27 at 12:59 -0700, Marc Perkel wrote: > > I've not run into a single instance where a legit server only tried > the lowest MX. However, if I did there's a simple solution. If the > fake lowest MX points to an IP on the same server as the working MX > then you can use iptables to block port 25 on all IP addresses EXCEPT > for the one broken server. That would fix the problem. > > I think the question is how you would identify a FP occurred, short of a > client screaming? > > > Clients screaming is that way the false positives are usually identified. > I'm filtering 1600 domains and I've been doing this for almost a year and > have yet to get a single report of a false positive. And when I screw up I > usually hear about it. > > All I can say is - it works for me. If you want to try something safer > create some fake higher numbered MX records and return 421 errors on them > and you'll get rid of about 1/3 of your botnet spam. And you'l be able to > see in your logs how many hits you get. > > The only way to determine if this works or not is to try it. > >
I have tried bogus MXes before and had too many false positives to possibly deal with. However after the repeated claims of zero FP on your large installation, I decided to give it another try. It's been a couple years since my last try, and then I only used a fake 1st pref MX, not a fake last MX as well. Sunday evening I tried it on a single domain of one very tolerant and friendly client. I added one bogus lower MX and one higher, both IPs in the same block as their actual mail server that were unused. The first 24 hours seemed promising. However today (tues) we have two false positives, including one of their banks (!) and a small business that is their long time customer. It's scary that a bank has such a broken config, but its a reality. Unfortunately, there are still too many bad admins/RFC ignorant firewalls/whatever out there for bogus MXs to be a practical solution for me. Sure, if we all used it then they'd have to clean up their acts.. but then the spammers would obviously just implement proper behavior in their next bot version. I just don't see this as a solution that can work. I don't know what "1600 domains" means. Most people talk in terms of messages/day, number of mailboxes, or some other meaningful measurement. Just guessing that maybe a "domain" equals average 50 users... I cannot imagine how you're not getting flooded with complaints. I tried it with a single small domain (less than 30 mailboxes) and didn't make it 2 business days. We'd all like to find that magic button to stop spam, but this aint it. -Aaron
