Using fake MX records to combat spam

Solution 1:

Do yourself a favor and set them up with a gateway anti-spam service such as Postini. For a few dollars per mailbox per month, there's absolutely no reason not to and you'll not only eliminate 99% of your spam, you'll also enjoy having access to their spool service (handy for scheduled or unscheduled downtime), not to mention the bandwidth savings by letting someone else receive and process all that spam before it hits the edge of your network.

Not a Postini employee, just a happy user who's also setup dozens of clients with it.

Solution 2:

I've tried this, and I can strongly recommend that you DON'T DO IT! It seemed like a good idea at the time, but after mail from various senders starting disappearing, I realized that it was a mistake. What I didn't realize was that there are lots of terribly written SMTP servers out there, that don't follow the spec and are fairly bad at handling errors, and people don't know or care because "this other guy got my email, so it must be you".

I second some of the other suggestions for handling SPAM. Postini is a great service, and even the built in anti-spam stuff in the free google apps isn't that bad. If you want more control you can buy an IronPort or other device, or roll your own.

Solution 3:

I've never heard of this method before and I can imagine it would delay legitimate email potentially by several hours. At the end of the day, the smtp protocols need to deliver your legitimate email. The valid servers will hit the bogus mx record and try to deliver to that server... I don't know what you might have running there (if anything), but they will keep trying until it's accepted.

Proper servers will keep trying the MX records until the mail is delivered. Spammers tend to get smarter and if this works for some spam software now, I doubt it'll work for long. I can't recommend it.

My suggestion is instead to look at using an smtp tarpit in addition to your existing spam filter. There are a number of these available now. I think you'll find it's much more effective than the fake mx record method.

Such tarpits come with smtpd on BSD. There are also some tarpitting features in sendmail 8.13.

Basically, a tarpit works by tying up spam server resources. They do that by delaying the responses they get. e.g. the spam server connects and receives about 1 byte per second.
Some of the tarpit servers look for spam patterns and can recognize a spam server. Legitimate servers will be prepared to wait through a slow response. In some tarpits servers they move the legitimately recognized server onto a whitelist automatically so there is no delay in the future.

Google SMTP Tarpit and take a look.

Solution 4:

You didn't mention it, so is there a reason you're not using a DNSBL?

Edit: SpamAssassin includes support for a few of them - without them, you'll be wasting a lot of CPU cycles analyzing spam.

Solution 5:

I use this this fake MX (a variante of the nolisting) and it works very well.

I used a postfix MX with all the usual filters and after some spambot manage to overload the server for 2 or 3 times i decided to give it a try...here is the result: fake-mx, before and after

try to guess when i have implemented the fake-mx! 8)

The result is the same as postgrey, but unlike postgrey, you don't need to change your mail server

The spambots now will either try the high MX or the low MX, freeing the real MX from the load of trying to filtering then (even with DNSBL, the load was high) and real email arrives with minimal delay.

But be warned, there are risks:

  • Some servers might have high retry times. Most servers will retry the next MX after the first one timeouts, others will try in the few minutes next, but i already saw servers that only retry after one hour or one day. They are very rare and for the ones i could catch it was a bad config. talking with the other postmaster fixes the problem

  • All emails will have a delay. Actually i see no delay at all, almost all real mailservers will retry to the next MX after the the first timeout, so we are talking about 30s delay. They usually try at least 3 MX before queueing the message for a longer delay. but you might have contact with one broken mailserver that might not do this and delay every message for minutes. So this is a thing to monitor when deploying this solution.

  • Broken sites. Some webservers send email for passwords, notifications, etc and instead of delivering for a internal real mail server, they try to be a "fake" mail server and delivery directly. As its a webserver, they will never retry and the email is lost. Again its a bad configuration from the webmaster/web developers, as only real email servers should send email. every time i find this problems i talk with the webmaster about the problem and usually the problem is fixed.

  • No logs. As the fake MX poing to unconnected IPs, you have no logs of what tried to be delivered. you only know that something went wrong when someone complains. but this is also good. You can always claim that you have no attempt to deliver any email, so its a remote problem. The other side must check their logs and solve the problem. I can prove there is no connection at all to my real server, moving the pressure to resolve the problem to the other side. If the other side is unable to fix the problem it looked as untrusted, unreliable.

  • No whitelist. this applies to all servers via dns, so you can not whitelist one server... actually is just half-true, but is harder. the whitelist solution is that the lowest MX points to a IP where a smtp is running, but filtered by firewall for everyone. Those servers you want to whilelist needed to be permitted in the firewall. This way all servers will be rejected by the firewall and the whitelisted will be able to deliver to the mail server. It works, but only for IPs whitelist, not for email whitelist.

Unlike postgrey, where the remote sender have a log of a "rejected" delivery (and so can point at us as the problem), the fake-MX will show that the webserver could not even connect and didn't retry, giving no excuse for the remote side about the problem. A failing MX better accepted over postgrey, as we can always claim some "routing problem, but the backup MX is working fine, we get all other emails"

with that said, i get very little complains (about 1 every 3 months), so i consider it safe enough (every spam filter have risks).

Please note that i use valid ipv4 address for all the MX, but for the fake ones i use a IP that i control that is not in use (and so it gives timeout/host unreachable on any connection). this rules apply even if you don't use this. There are dns and smtp servers that require a perfectly valid dns config for the email to work. the fake-MX must also be valid, they should just not be reachable.

Do not use private IPs or IPs that you don't control for the fake MX (if you add ipv6 address, ALSO add a ipv4 one). This avoid problems with broken DNS and mailservers and surprises of other getting your email (by installing a smtp server on the IP you don't control). Also, CNAME are forbidden for MX, so don't use it also, just a plain A record

Finally, a tcp-reset should be sent for the fake MX, to improve performance (host or port unreachable) instead of a plain timeout (by dropping the packet), so it's recommended to add it to you firewall.

anyway, not only i still use it, as i recommend everyone to use it