This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: clarified pitfalls of "no-listing" tactics.

...

No Format
 fake0.example.com   10
 realmx.example.com  20
 fake1.example.com   30

The fake records can either be undefined or can point to dead IP addresses or to should ultimately resolve to real IP addresses with port 25 closed.  On the lowest numbered MX be sure it's pointed , not resolving to a closed port because if you just use a temporary error then Qmail, which is not RFC compatible, real IP address with port 25 CLOSED will cause serious interoperability problems with QMail, which will never move up to the next MX record. If you it point at an unused or unreachable IP to which connection will simply time out, you may cause substantially longer delays than if the connection fails "hard." Pointing the MX to a name that has no A record or an A record that resolves to a generally unreachable IP (e.g., link-local, RFC1918 private, TEST-NET, etc.) can also cause problems with your mail's deliverability, as some sites test for such bogus MX records. 

Fake Lowest MX

The reason for the fake lowest MX record is that where most email is delivered. Real servers will get the error and retry the middle MX and deliver the email with only a few seconds delay. Zombie spam will just move on to the next victim. No good email is lost but a huge amount of spam never makes it into the system at all. This not only reduces spam but also reduces system load as SA doesn't have to process any of this.

...

Email is supposed to be sent to the lowest numbered MX record first with the higher MX records being backup servers. Spammers often with try the highest MX record first thinking that the backup servers have less spam filtering than the main email server. They try the highest MX record and then never come back. So I set my highest MX record to point to an IP address that always returns a temporary "Come Back Later" error.

A real email server will retry and get through. But the spammer will just go away. This trick saves having to process several million messages a day on my servers at JunkEmailFilter.com.

...

Detail can be found at Project Tarbaby. NOTE WELL: Pointing MX records to systems which you do not control carries a risk of legitimate mail being lost and/or leaked to a 3rd party. 

Greylisting

Instead of a 2nd fake MX you can use greylisting, which returns a temporary "Come Back Later" error for users currently not known. It has the advantage of helping you on the primary MX directly, and rejects about 60% of the connections here. This is because spammers only try to send once, and if there is an error, they drop it. Real mail servers retry later.

...