On Fri, 15 Jun 2007, Marc Perkel wrote:

> What I see happening is that they are hitting MX randomly. So some times they
> hit a good server and sometimes they hit the trap. Once they have hit the
> trap several times then they are blacklisted in my hostkarma blacklist and if
> they hit a real server they are rejected at connect time.
>
> On my servers less than 1% of all email attempts make it as far as spam
> assassin. This reduces it further.


The fact that you're seeing random connections is out of line with
your own assertion that spammers "don't play by the rules and they try
hitting the higher MX records first thinking there's less spam
filtering there."

The two most likely conclusions of this are that a) Spammers don't
behave the way you think they behave and/or b) spammers do behave the
way you presume they do, but you're catching legit servers that pick
an MX randomly rather than going with lowest first. Either way, it
suggests there's a flaw in the original suppositions that led you to
employ this method of blacklisting.

Unless you have some other reliable source of statistics regarding how
various entities choose MX records, I'd expect blacklisting this way
is likely to garner significant false positives.

--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew