Autor: Alan J. Flavell Data: A: Exim users list Assumpte: Re: [exim] Am I an open relay or aren't I?
On Wed, 10 May 2006, Martin A. Brooks wrote:
> Marc Perkel wrote:
> > Anyhow - one of my tricks. Create a third MX that is higher than the
> > other two.
This was certainly a possibility that we had considered in the past,
having observed the apparent propensity of some spammers to go for
higher-numbered MXes without showing any signs of having tried the
first-choice MX first, even when we knew it was fully working.
> > Then add this ACL [snip hopelessly over-agressive code...]
However, it seemed to us that one should take great care about what
action one takes in response.
> Not wishing to be pedantic, but it's not a fake record, it's a real
> one.
Agreed
> Also it's perfectly possible that it's not a spammer, but a host
> that is having trouble reaching your primary MX.
It's conceivable - even though it should be rather rare.
> You logic assumes that a spammer will always and only try the lowest
> priority MX record,
By no means! It's based on an observation that enough of them do so
that it's been noticed quite widely. But it certainly would not
replace existing defences.
I know that some commentators have guessed that spammers were doing
their DNS lookups casually, and picking arbitrary MX hosts,[1]
irrespective of the associated priority. I have to say that my hunch
is that some, at least, are quite deliberately going for the backup
host, hoping that it will be less well protected against abuse.
I'd be inclined to respond on that "third" (of "fake") MX with a
defer. Bona fide senders would surely try the preferred MX, sooner or
later, wouldn't they? Spammers, on the whole, can't be bothered with
organised retries. Indeed, with any luck, such retries might have
similar effect to greylisting, and, by the time that they finally got
to trying the first or second MX, they'd already have got into dnsBLs,
and could be rejected by the other defences.
However, this is only an idea that we discussed - we never did get to
try it, so I can't offer any reports on how it works out in practice,
sorry.
[1] Incidentally, we had some clear evidence that spammers keep old
lists of MX lookups, instead of looking-up in real time - so it could
be beneficial to regularly change one's MX IPs, and letting them try
to offer the mail to last month's IP which has now gone away ;-)