Marc Perkel wrote:
> Looking for a few volunteers who want to reduce their spambot spam and
> at the same time help me track spambots for my black list. This is
> free and mutual benefit. I (junkemailfilter.com) want to be your
> highest numbered fake MX record. Here's how you would configure your
> domain:
>
> mail.yourdomain.com MX 10
> tarbaby.junkemailfilter.com MX 20
>
> I will never actually receive your email. The recipient all always get
> a 451 error just after the DATA command. So if your servers are down
> you won't lose anything. A 451 error is a "I'm not ready, come back
> later" error.


what if he comes back later to the same MX, again and again (AFAIK, this
is the case with qmail)? mail will be lost.

>
> This will help you reduce your spambot spam generally by half. Many
> spambots try the highest number MX records first and never try again.
> So these attempts just go away. Your system load drops, your spam is
> reduced, spamassassin doesn't have to work as hard. And some spammers
> will actually blacklist you because when they see a
> junkemailfilter,com host in the MX they don't even try because they
> know that it will only reduce their spambot army to even attenpt to
> send a spam.


do you have any evidence for this? or more generally, do spammers really
check the MX name for such patterns?
>
> I have developed an extremely accurate way of detecting spambots and
> getting them listed on the first attempt to send spam. It involves
> detecting a combination of several sins that if they hit this
> combination, and most do, it's a virus infected spambot. Without going
> into great detail one of the unique things I look for is hosts not
> closing the connection with quit but rather allowing the connection to
> time out after receiving the 451 error. When you combine that it's the
> highest MX, no QUIT, and several other tests on HELO and other things
> I can get these hosts blacklisted which blacks their spam for everyone
> who uses my blacklists. And - unless you are huge - you can use my
> blacklists for free.
>
> Here's what an SMTP session to my tarbaby server looks like.
>
> telnet tarbaby.junkemailfilter.com 25
> Trying 65.49.42.79...
> Connected to tarbaby.junkemailfilter.com.
> Escape character is '^]'.
> 220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008
> 08:20:24 -0700
> helo mydomain.com
> 250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
> mail from:<>
> 250 OK
> rcpt to:xxx@ccc.com
> 250 Accepted
> data
> 451 DEFER - Try a lower numbered MX record -
> http://www.junkemailfilter.com
>
> So - if you are interested all you have to do is set your highest
> numbered MX to tarbaby.junkemailfilter.com. If you want to know more
> about my lists you can read about them here.
>
> http://wiki.junkemailfilter.com/index.php/Main_Page
>
> This is experimental. I'm looking to see what kind of useful data I
> can derive from this to see how well it work and if I'll continue it.
> Send me a private email if you have any questions.
>