Re: [exim] An interesting observation about spam zombies

Top Page

Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] An interesting observation about spam zombies
On Wed, 2007-08-29 at 10:23 -0700, Marc Perkel wrote:
> As some of you know I get rid of a lot of spam using fake high numbered
> MX records. I'm now doing some interesting experiments. Even though my
> TTL is only 2 hours I notice that if I change my fake high MX to
> different fake high MX that the spam zombies still send email to the old
> fake MX records for many days, sometimes weeks.


In the olden days, when AOL used to be a Really Big Player (!), there
were many uncorroborated and persistent rumours that they (and several
other large ISPs) used to deliberately ignore DNS zone and resource
TTls, and forced them to be much longer than the zone administrators
intended. I say "uncorroborated" because even in the mists of NANOG, few
people can actually provide hard details that this was the case from the
inside of those organisations - most of the evidence is from external
observation.

> My theort is that spam zombies do DNS caching so as to maximize spam
> output by eliminating dns lookups. Thus zombies retain old information
> far longer than they are supposed to.


A technique used in the days of the old "millions CD" methods of
propagating spam lists was to keep a corresponding MX history file
whereby a domain's entire MX history, DNS names and IP addresses, was
kept and tried repeatedly. This caused odd events where a mail server
would buckle under the load of spam it didn't even handle. Again, this
is now in the mists of history...

> So I'm experimenting with a blaclisting trick where I change my fake
> high MX records, wait several hours, and then anything that hits the old
> fake MX records are spam zombies.
>
> Thoughts?


I'm reminded of the joke about the engineer, the physicist and the
mathematician on a train journey through a strange land. The engineer
spots a black sheep:

E: All sheep in this country are black.
P: One sheep in this country is black.
M: One side of one sheep in that field in this country is black.

You simply cannot assume that any attempts to connect using your old MX
address are spam zombies. Many may be, but some will not. Some may be
legitimate messages affected by the observed behaviour of some caching
nameservers. Can you afford to drop them?

Also, have you read about fast flux? Take care not to make your domain
look like a fast fluxer (in DNS terms) as you may fall foul of other
antispam operators too. You wouldn't want that again, would you?

Graeme