Send that spam where it belongs
Posted: Tue Jan 23, 2007 11:24 pmI ran across an interesting article today on /.:
http://www.joreybump.com/code/howto/nolisting.html
It's fairly obvious when you think about it and I can't believe I didn't think of and try this before it's so obvious. The basic idea is that spam comes mostly from infected Windows clients, and these clients do not use a mail exchanger but instead send the mail directly to the mail host for the email address they are spamming. They get the mail host via the MX record for the domain which is how everyone else does it but the difference is they do an MX lookup and only try to send the message using the first host (highest priority/lowest numbered host) in the MX record. They try to send the message and whether successful or not they move on to the next email address.
Now real mail exchangers try the highest priority mail server first and if a connection can not be made they go to the next one in the list and try and deliver the message. If none of the mail servers can be reached then it will store the message and try again after a period of time. So, the article suggests that you use an IP address that doesn't accept mail as your highest priority mail server. Virus ridden Windows boxes will try to send mail to that address and not be successful. Real mail going through a mail exchanger will automatically get through on the send address that does accept mail.
Well, I decided this would be very simple to try out myself but I took it a couple of extra steps. I have a couple of domains that I point to my dynamic address and I usually get around 100 spam emails each day on these domains. Now it's not a huge deal because Spamassassin catches 95% of this spam but still it annoys me that these Windows boxes are sending me this garbage using up my bandwidth and server space. Not having extra IP addresses I figured I would just turn this spam back to where it belongs. www.microsoft.com doesn't accept mail. :)
So my MX records have 3 entries. The highest and lowest priority servers point to addresses from the borgs web server cluster and the middle one points to my mail server. So all attempts of sending mail to my domains initially goes to the their web servers and when they don't accept the connection the real mail comes in to my servers. Now the crap goes to where it should go and I don't get it.
This is not a 100% solution as I have still gotten a few but it looks to have cut over 80% of the spam out in the half day it's been running. Spamassassin still catches 95% of that 20% that is left over so I am in good shape. It looks like the few that I have received since doing this came from Windows 2003 machines with exchange server running on it. I suspect those servers are either infected or are part of a spamming operation. There have been around 6 total spam messages come in on both domains in the half day it's been running. Much much better. I suspect if more people do this that the virus writers will get wise and attempt all mail hosts rather than just the first or last mail host.
Of course if they fire up a mail exchanger on their web server cluster all of a sudden all my mail are belong to the borg. :)
Have fun!
http://www.joreybump.com/code/howto/nolisting.html
It's fairly obvious when you think about it and I can't believe I didn't think of and try this before it's so obvious. The basic idea is that spam comes mostly from infected Windows clients, and these clients do not use a mail exchanger but instead send the mail directly to the mail host for the email address they are spamming. They get the mail host via the MX record for the domain which is how everyone else does it but the difference is they do an MX lookup and only try to send the message using the first host (highest priority/lowest numbered host) in the MX record. They try to send the message and whether successful or not they move on to the next email address.
Now real mail exchangers try the highest priority mail server first and if a connection can not be made they go to the next one in the list and try and deliver the message. If none of the mail servers can be reached then it will store the message and try again after a period of time. So, the article suggests that you use an IP address that doesn't accept mail as your highest priority mail server. Virus ridden Windows boxes will try to send mail to that address and not be successful. Real mail going through a mail exchanger will automatically get through on the send address that does accept mail.
Well, I decided this would be very simple to try out myself but I took it a couple of extra steps. I have a couple of domains that I point to my dynamic address and I usually get around 100 spam emails each day on these domains. Now it's not a huge deal because Spamassassin catches 95% of this spam but still it annoys me that these Windows boxes are sending me this garbage using up my bandwidth and server space. Not having extra IP addresses I figured I would just turn this spam back to where it belongs. www.microsoft.com doesn't accept mail. :)
So my MX records have 3 entries. The highest and lowest priority servers point to addresses from the borgs web server cluster and the middle one points to my mail server. So all attempts of sending mail to my domains initially goes to the their web servers and when they don't accept the connection the real mail comes in to my servers. Now the crap goes to where it should go and I don't get it.
This is not a 100% solution as I have still gotten a few but it looks to have cut over 80% of the spam out in the half day it's been running. Spamassassin still catches 95% of that 20% that is left over so I am in good shape. It looks like the few that I have received since doing this came from Windows 2003 machines with exchange server running on it. I suspect those servers are either infected or are part of a spamming operation. There have been around 6 total spam messages come in on both domains in the half day it's been running. Much much better. I suspect if more people do this that the virus writers will get wise and attempt all mail hosts rather than just the first or last mail host.
Of course if they fire up a mail exchanger on their web server cluster all of a sudden all my mail are belong to the borg. :)
Have fun!