Shane Williams wrote:
> On Fri, 15 Jun 2007, Marc Perkel wrote:
>
>> What I see happening is that they are hitting MX randomly. So some
>> times they hit a good server and sometimes they hit the trap. Once
>> they have hit the trap several times then they are blacklisted in my
>> hostkarma blacklist and if they hit a real server they are rejected
>> at connect time.
>>
>> On my servers less than 1% of all email attempts make it as far as
>> spam assassin. This reduces it further.

>
> The fact that you're seeing random connections is out of line with
> your own assertion that spammers "don't play by the rules and they try
> hitting the higher MX records first thinking there's less spam
> filtering there."
>
> The two most likely conclusions of this are that a) Spammers don't
> behave the way you think they behave and/or b) spammers do behave the
> way you presume they do, but you're catching legit servers that pick
> an MX randomly rather than going with lowest first. Either way, it
> suggests there's a flaw in the original suppositions that led you to
> employ this method of blacklisting.
>
> Unless you have some other reliable source of statistics regarding how
> various entities choose MX records, I'd expect blacklisting this way
> is likely to garner significant false positives.


It appears that some spammers hit the highest mx first and some spammers
hit random mx records. But legit email would not hit these higher mx
records so I doubt I'll have a problem with false positives.