Re: [exim] An interesting observation about spam zombies

Top Page

Reply to this message
Author: Richard Pitt
Date:  
To: Graeme Fowler
CC: exim-users
Subject: Re: [exim] An interesting observation about spam zombies


On Wed, 2007-08-29 at 18:48 +0100, Graeme Fowler wrote:
> On Wed, 2007-08-29 at 10:23 -0700, Marc Perkel wrote:
> > As some of you know I get rid of a lot of spam using fake high numbered
> > MX records. I'm now doing some interesting experiments. Even though my
> > TTL is only 2 hours I notice that if I change my fake high MX to
> > different fake high MX that the spam zombies still send email to the old
> > fake MX records for many days, sometimes weeks.
>
> In the olden days, when AOL used to be a Really Big Player (!), there
> were many uncorroborated and persistent rumours that they (and several
> other large ISPs) used to deliberately ignore DNS zone and resource
> TTls, and forced them to be much longer than the zone administrators
> intended. I say "uncorroborated" because even in the mists of NANOG, few
> people can actually provide hard details that this was the case from the
> inside of those organisations - most of the evidence is from external
> observation.
>

OK - I'll corroborate it - In our Wimsey days and iStar days
(1986-1999), we documented many times when AOL (once they joined the
'Net) in particular ignored both short TTLs (less than a day) and any
TTL (ours defaulted to 7 days) and in general failed to update for as
much as a month with some of their servers much longer so it was
inconsistent. I could dig into my archives of correspondence with them
if you'd like :)

I was the one who did most of the DNS changes and moved stuff as we grew
and changed IP blocks and such. That was when we noticed it the most -
but customers moving to us (and away from us) also had problems. Some,
admitedly, were caused by other ISPs either failing to take their zone
files out when a customer moved, or in a couple of cases actually
working at screwing things up - but there were enough cases that I could
truly put down to AOL not respecting the TTLs that I'm convinced. I even
have web logs from that erra showing persistent tries to sites that had
moved from AOL addresses.
...
> I'm reminded of the joke about the engineer, the physicist and the
> mathematician on a train journey through a strange land. The engineer
> spots a black sheep:
>
> E: All sheep in this country are black.
> P: One sheep in this country is black.
> M: One side of one sheep in that field in this country is black.
>
> You simply cannot assume that any attempts to connect using your old MX
> address are spam zombies. Many may be, but some will not. Some may be
> legitimate messages affected by the observed behaviour of some caching
> nameservers. Can you afford to drop them?
>
> Also, have you read about fast flux? Take care not to make your domain
> look like a fast fluxer (in DNS terms) as you may fall foul of other
> antispam operators too. You wouldn't want that again, would you?
>
> Graeme
>

Good story and good advice

richard

-- 
-
Richard C. Pitt                 Pacific Data Capture
rcpitt@???               604-644-9265
http://richard.pacdat.net       www.pacdat.net
PGP Fingerprint: FCEF 167D 151B 64C4 3333  57F0 4F18 AF98 9F59 DD73