Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam and
at the same time help me track spambots for my black list. This is
free and mutual benefit. I (junkemailfilter.com) want to be your
highest numbered fake MX record. Here's how you would configure your
domain:
mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20
I will never actually receive your email. The recipient all always get
a 451 error just after the DATA command. So if your servers are down
you won't lose anything. A 451 error is a "I'm not ready, come back
later" error.
what if he comes back later to the same MX, again and again (AFAIK, this
is the case with qmail)? mail will be lost.
This will help you reduce your spambot spam generally by half. Many
spambots try the highest number MX records first and never try again.
So these attempts just go away. Your system load drops, your spam is
reduced, spamassassin doesn't have to work as hard. And some spammers
will actually blacklist you because when they see a
junkemailfilter,com host in the MX they don't even try because they
know that it will only reduce their spambot army to even attenpt to
send a spam.
do you have any evidence for this? or more generally, do spammers really
check the MX name for such patterns?
I have developed an extremely accurate way of detecting spambots and
getting them listed on the first attempt to send spam. It involves
detecting a combination of several sins that if they hit this
combination, and most do, it's a virus infected spambot. Without going
into great detail one of the unique things I look for is hosts not
closing the connection with quit but rather allowing the connection to
time out after receiving the 451 error. When you combine that it's the
highest MX, no QUIT, and several other tests on HELO and other things
I can get these hosts blacklisted which blacks their spam for everyone
who uses my blacklists. And - unless you are huge - you can use my
blacklists for free.
Here's what an SMTP session to my tarbaby server looks like.
telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008
08:20:24 -0700
helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:[EMAIL PROTECTED]
250 Accepted
data
451 DEFER - Try a lower numbered MX record -
http://www.junkemailfilter.com
So - if you are interested all you have to do is set your highest
numbered MX to tarbaby.junkemailfilter.com. If you want to know more
about my lists you can read about them here.
http://wiki.junkemailfilter.com/index.php/Main_Page
This is experimental. I'm looking to see what kind of useful data I
can derive from this to see how well it work and if I'll continue it.
Send me a private email if you have any questions.
