Stopping Spammers Who Exploit Secondary MX?

drteknikal asks: "I'm the admin for a small law firm. We use our ISP as our secondary mx. We are receiving spam from our secondary mx even when our primary has been continually available. We suspect that spammers are routing to our secondary MX to bypass the DNS-based spam filtering on our primary. After examining some of the traffic, our ISP agrees. Neither of us sees an immediate solution, given the purpose and function of secondary MX. They already restrict relaying to hosts on their network. Has anyone else seen this? Does anyone have suggestions on how an ISP could secure their mail exchangers without interfering with the functionality required to function as secondary MX for an external domain?"

Spam filtering on their end...?

[greenhide]

Is there any reason why the ISP can't set up some sort of SPAM filtering on their end?

Also, why not just set up the ISP's server as a backup server only? That way, you access your e-mail through the main server, which would make the mail go through your SPAM rules, right?

Re:Spam filtering on their end...?

[SmashPDX]

Doesn't quite work that way. In terms of inbound SMTP, a secondary MX with a lower priority (higher numeric value) is already, techincally, a backup. However, it is a backup *route* that will accept mail at anytime, so if someone simply decides to ignore the primary-- or falls back to the backup because the primary said no-- well, you have the problem described.

If you wish to leave the boundaries of the SMTP protocol there are probably all kinds of things you can think up, but if you aren't willing to implement add-on-style solutions that say "I will only accept email if *I* think the primary is down" then you're out of luck. SMTP+DNS alone doesn't work that way, never has, never will.

well

Does anyone have suggestions on how an ISP could secure their mail exchangers without interfering with the functionality required to function as secondary MX for an external domain?

There's a solution we invented down here in Texas involving guns, tars and feathers and truckloads of dynamite. However, physical proximity to the spammer is required, and your market may vary. PM me for details.

Re:well

[BrynM]

There's a solution we invented down here in Texas involving guns, tars and feathers and truckloads of dynamite.

Don't forget rope. You can't hang someone or draw and quarter them without rope. Rope is the vigilante's duct tape. It's good for everything. Especially spammers...

Re:well

There's a solution we invented down here in Texas involving guns, tars and feathers and truckloads of dynamite.

So it's the same solution you use against colored people, then? How creative, you fucking hick racists.

Re:well

[drakaan]

Right...cause there aren't any black people (colored??? are you *that* much of a jackass?) living in Texas.

Well...

[drakaan]

I'm not sure I understand the problem...why can't you set up restrictions like those on your primary MX on the secondary, and if you can, why do they work on one, but not the other?

Re:Well...

[Asgard]

Presumably the ISP is servicing multiple customers and doesn't want to set up a configuration that would impact everyone else.

Re:Well...

[schon]

Presumably the ISP is servicing multiple customers and doesn't want to set up a configuration that would impact everyone else.

They should be able to implement it selectively, based on the recipient address/domain.

It's really not hard to do - all modern MTAs support this type of operation.

I, too, have seen this

[wowbagger]

I have seen a bunch of my spam at work come in from the secondary MX. Until this moment I'd assumed it was due to our primary MX being down, or due to the spammer's mail client picking the "closer" MX (our MXs are widely spaced geographically and in IP space).

However, the solution seems simple enough IF you control the secondary MX - install the same level of anti-spamming on the secondary MX as you have on the primary MX.

Of course, if you don't control the secondary MX.....

Same thing here

[beat.bolli]

I observe the same thing here. 90%+ of the mails that reach us through the backup MX are spam. Our problem is that we have to get this mail with a POP account, thus bypassing the normal spam check.

One solution would be to let the backup forward the mails normally to the primary MX, but our ISP can't do this; once the mail is in the POP account, it's gone from the mail queue...

Re:Same thing here

If you get it from a POP account what about fetchmail?

It downloads the mail and sends it through a local SMTP server. On the local SMTP server you could setup a milter (if using sendmail) to at least flag the spam. Then setup filters on your MUAs.

Re:Same thing here

[Neon+Spiral+Injector]

Wow, that's broken. So you have to check one account's mail on two different machines?

The whole purpose of a back-up MX is to collect mail while the primary is down. But just to hold it in queue. When the primary comes back on-line, it then delivers the mail there.

So the back-up(s) should be configured to accept mail for the domain name, but not for local delivery. This is a basic function of all SMTP servers.

Re:Same thing here

[beat.bolli]

No, the mail from the POP account (just one for the whole mail domain) is parsed and redispatched to the appropriate mailbox(es) on our internal server. It's just a leftover from the days when we had to get *all* mail from this one POP account (we're a small shop, 13 ppl). The Python script that does this is available if you have similar problems.

Re:Same thing here

[reluctantengineer]

Yea, in the last couple weeks I've been seeing this on our mail server as well. We use a commercial "store and forward" service, and a measureable amount (I'd say 10% or 15%) of our spam is coming through that. Fortunetly our email server has spam filtering built in, it doesn't matter what MX it comes through. Filter on sender address/domain, plus the standard rules based filtering.

How about a third MX?

[Neon+Spiral+Injector]

I noticed the same thing. While both of the main servers had the same level of spam filtering, I found it odd that the secondary was seeing a lot more spam. So as an experiment I added a thrid MX, the first two are of priority 0 and 10. The third I made 100 (not that it really matters). On this third server I set up even stricter anti-spam rules. The amount of spam fell of very quickly after that. The spammers would go for the trap. I would say that over 90% of the e-mail to that server is spam. I have almost considered just making it a black hole. But it does see a little valid traffic, and there is a chance that both of our main servers could be offline at the same time.

Re:How about a third MX?

[Polo]

So as an experiment I added a thrid MX, the first two are of priority 0 and 10. The third I made 100 (not that it really matters). On this third server I set up even stricter anti-spam rules. The amount of spam fell of very quickly after that.

Sounds like that could be the answer. Just make a local 3rd mail exchanger with spam controls and maybe the traffic will be diverted off the second one.

Re:How about a third MX?

...as long as you realize that this is a purely temporary solution. Won't be long before they catch on.

Re:How about a third MX?

[Zocalo]

Targetting lower priority MX's makes a lot of sense from the point of view of a spammer. A huge number of SMEs out there with their own mailserver are using an ISP's servers as their backup(s) and these are probably not going to have as high a level of anti-spam filtering. The additional MX approach sounds like a good backstop though.

I'll have to check my SpamAssassin rule set, but I think a small positive score if a backup MX was used as a relay might be in order. What would be really slick would be to weight the score based on uptime of the primary MX; if the primary was up when the mail hit the secondary then a bigger score should be given. I'm not sure how to implement that though (if it's even possible) because you need to know that the server was up *and* accessible from the Internet.

Re:well [OT]

[renehollan]

Sniff, snif :-(.

I do miss Texas. Heinlein was right: "An armed society is a polite society."

Never encountered a pushy type in a line, and people in the "N-items or less" lines always had N items or less.

If I murder someone in Texas, I fry. If I murder someone in Canada, I'd likely get 25 years, parole after 7, and the murdered person's family pays the taxes to support my room and board while I'm locked up. Almost beats working for a living. Of course, not liking the intimate company of people named "Bubba" kinda puts a damper on the "murder in exchange for free room and board idea" (While inmates in U.S. prisons are supposed to not suffer cruel and unusual punishment, such punishment is actually advertised as a deterrent in the province of Ontario, as a means of combatting drunk driving: "Drive drunk, go to jail, get sodomized.")

Uh, huh! We feed, clothe, and house our criminals here! And, if you're "Bubba's" type, you got it made! Just go and murder someone!!

Secondary MX filtering

[secolactico]

Unfortunately, unless your ISP is willing to implement the same DNS based filtering, you are out of luck.

I guess you could set a filter to process the IP prior to the secondary MX and filter that. I don't know of any ready made solution for this tho, and it requires that your server receives the message and examines the headers.

Another new spam trick...

[dmayle]

Anmother trick that I'm starting to see pop up is control characters in the headers, so spamd/spamc get a screwed up byte count and allow the message through. I'm not running the latest version of SpamAssassin yet, though, so this may have been fixed already...

The way I see it...

[wonkamaster]

The spammers seem to be exploiting a flaw in your methodology. I'm not sure there is a good way around the problem -- at least how you're doing things now.

The core of your problem is the fact that your ISP is accepting SMTP traffic for you and does not support the same policies as your own mail server supports. If you want to get rid of the SPAM coming from your ISP, you need to be able to implement policies on the secondary MX server.

I would suggest one of the following:

• Collocation: Put one of your own servers at your ISP to which you have full control over
• In-house: Don't use your ISP as a secondary MX, set up a second server at your site instead (this still protects against primary server failure, but not against ISP connectivity problems)
• Paranoid: Implement the filters on mail coming in from the ISP. Depending on your filtering software, this might be a little more tricky but it will work.

With regard to the Paranoid option above, it should just be a matter of checking ALL of the Received headers instead of just the last one. Usually spammers can (and do) forge all of the Received headers except for the last one -- which they can't because your server adds it. In the case of mail received by your ISP, the last two Received headers are guaranteed to be valid.

Checking all of the Received headers against the SPAM database would do the trick.

Simple fix

[geirt]

Add your main server to DNS as the MX with both the highest and lowest priority.

eg:
mail.myserver.net pri 10
mailbackup.myisp.com pri 20
mail.myserver.net pri 30

Works perfect for now. But some day the spammers will adopt to this too ....

Re:Simple fix

[alonsoac]

How does this prevent the spammer from sending mail to the mailbackup server ?

Re:Simple fix

It doesn't prevent them, and nothing will. The point is that the spammers seem to be choosing the highest MX record to send the spam to, and if you set your main mail server as the highest MX record, the spammers send to that server and his spam filtering works.

Re:Simple fix

[jamesh]

This worked for me for about a week. I then peppered the primary with all sorts of different names all over the MX record list. That also failed to work. In the end I just gave up and deleted all MX records except the primary. Other servers will retry if they can't find mine. The amount of mail actually lost in the case of downtime is pretty much irrelevent compared to the amount of spam i now don't get. (it runs linux so uptimes are normally measured by numbers with 3 digits.)

Check the headers coming from your MX

[bmomjian]

I had that problem and fixed it by adding sendmail rules to check the host that sent the mail to my MX.

Check here for the script and my general spam article is here.

create another MX

[oo_waratah]

They appear to use the last MX record, so create a third one and just delete anything coming into it.

Your secondary MX should pick up anything that overloads yours so you should not dump any real traffic.

This was discussed a few months ago on slug.org.au on the mailing list. Take a look at the archives google with site:slug.org.au

Re:Welcome to GNU GVideo GProfessor!

what

a few options

[cuiousyellow]

Direct to MX spamming should surprise you about as much as drunk drivers driving without their seatbelts on.

Without their seatbelts on!!

There are quite a few options in order of preference:

• Augment your dns filtering with spam assassin and bayesian filtering in house.
• root your secondary -- colo a spare machine and implement your current filtering there as well.
• Educate your users to safeguard their e-mail address and install client side filtering
• Give up the advantages of a secondary MX and do without.
• Educate your users to safeguard their e-mail address and become delete-button-ninjas
• Give up on SMTP.
• Swith to a $BIGCOMPANYTHATGIVESAWAYFREEHOURS style ISP that holds its users hands and filters mail for them.

I'm sure I missed some in the middle there...

As an aside -- you mention:
They already restrict relaying to hosts on their network.

This would defeat the point of their running a backup MX for you -- I'm sure that your secondary is relaying any envelopes addressed to your domain.

Use a local 3rd MX that feeds spamd

[petard]

They mostly seem to be going for the lowest MX on the list, so simply:

1. Obtain an additional IP address for your primary MX box.
2. Configure that as your tertiary MX, with, say, a priority of 100
3. Configure the MTA on that box to feed your Bayesian filter with all the spam you'll get, then delete it without transferring to your inbox :-)

The critical thing is that you need to be certain that this tertiary MX is only up when your primary MX is also up. No legitimate mail software will use an MX with a priority of 100 when it can connect to an MX with a priority of 1, so you can be certain that anything the 3rd MX gets is spam. If they're on different boxes, however, a simultaneous outage of the first 2 could cause you to accept then dump legitimate messages.

Me too

[heikkile]

I am providing a secondary MX for our company, from my home machine. Not much of real traffic comes in that way, but a lot of spam does.

I suspect that some spammers have figured out that most complaints go to the first "Received" header (if not to the forged "From" headers), and most secondary MX's will forward the mail to the primary MX's, adding a "Received" header. So some complaints will go to the secondary MX instead of the open relay or the fool that actually sends the spam... So those will take a bit longer to get shut down.

I could add a procmail rule to pipe all those mails into a suspicious folder, but that would not help the rest of the company.

Re:Welcome to GNU GVideo GProfessor!

hmm no google hits

Secondary MX are often unneccessary.

[DocSnyder]

In the past, a secondary MX should ensure email reception after a failure of the primary MX. Nowadays it's quite useless if the Internet connection between the secondary MX and the human recipient is interrupted - it's even contraproductive as a sender might have seen his email being delivered, with the recipient not knowing anything about it.

Apart from load balancing, a single MX is often enough - if it's unreachable, emails will stay queued on the sender's systems and get delivered later.

Re:Secondary MX are often unneccessary.

[menscher]

Yes, one is enough for a small site that doesn't care much about not losing any incoming email. But for a more serious site, it's necessary to have a backup. Here's why:

Let's say you have some scheduled downtime of your main server. Let's imagine that the downtime lasts more than four hours. Do you want all the senders to get delay notifications?

What if the downtime is worse, due to a total disk failure, for example. It could easily take more than a day to get back online. Many sender systems won't keep trying for more than 24 hours. Wouldn't it be nice if you could have all incoming mail saved locally? Then you could store it as long as you deem appropriate, rather than depending on the sending sites to do so.

Re:Secondary MX are often unneccessary.

[TheLink]

"Let's say you have some scheduled downtime of your main server. Let's imagine that the downtime lasts more than four hours. Do you want all the senders to get delay notifications?"

Actually yes, if the recipients can't get their mail whilst the main server is down.

Nowadays much email gets stale very fast. See the Ask Slashdot story about smtp timeouts.

The only time I can see backup MXs (or DNS servers for that matter) being useful are if you have multiple connections to the internet or you use crappy server hardware and software (e.g. sendmail, BIND). Even in the software case, if they are identical software and you need to security patch them, you may wish to take ALL of them down.

Most orgs I see don't have more than one connection.

two more servers

[acaird]

The suggestions thus far are all good, and here's another...

Put in two more servers (how important is this? otoh, two smtp servers can be, by today's standards "low-end" systems and perform just fine) and have the mail make one more stop on the way at these, and put the anti-spam machinery there. So the flow of mail would look like this:
MX1 --\/--A.S.1--\/--internal mail/pop/imap
MX2 --/\--A.S.2--/\--servers
so no matter what the spammer does, everything is still scanned, leaving you not to worry about CoLo'd servers, or what ISP(s) you use as MX'ers. You could, of course, do this with one A.S. server, but you've got all those backup MX'ers, so it'd be a shame to introduce a single point of failure now.

illigitimi non carborundum

they will adapt. unless.....

[slittle]

Obviously you need multi-phasic secondary MXs on a rotating modulation...

If that doesn't work, a penis shaped inverse tachyon pulse up their own MX will fix their little red wagon, quicksmart.

Even simpler... point 3rd MX at 1st

[leonbrooks]

...it would be worth experimenting to see if the attacking software is bright enough to notice the similar IPs, or if you need a second IP. If you need a second IP, you could pick a non-mail machine and port-forward 25 from it to your primary.

I'm guessing some spammers would focus on the second IP, some on the last, and some would choose at random, so it might be effective to set up four MXes, the second and fourth being echoes of the primary, and the third being the "real" MX.

If your primary's spam filters know what the connecting address was, they could block all traffic from it for an hour, and tell others (the ISP, for starters) about it so they could do the same. That way a spammer hitting the primary MX, getting rebuffed, then falling back to the secondary would be SOL.

How are you filtering?

[Mr.+Darl+McBride]

If you're merely blocking these IPs, then of course they're using your secondary -- that's what the secondary is for, it's for when the first can't be reached.

Instead of blocking mail from an IP address, you should accept and discard the mail. If you don't even open a socket, or if you reject with one of many generic messages, most any mail package will continue with the secondary.

They don't prefer secondaries...

[arrow]

Most of the popular spmware (SendSafe, SuperMailer, etc) packages just choose an MX randomly. Or to be exact, the FIRST MX returned by your DNS server.

Remember, DNS servers return multiple records for the same record in a random order, regardless of prefrence or anything else.

Hence you need to hack your DNS servers to return your spam-filtered primary at the top of the list.

secondary MX forwards to primary MX

[martin]

Secondary MX shouldn't deliver to a non-filtered internal email system., but should wait for the primary to come back up.

That way any filtering on the primary is also used if spammers use the secondary to deliver, mail continues to be delivered as normal, with no other changes.

Works for us..

Re:secondary MX forwards to primary MX

[fyonn]

Secondary MX shouldn't deliver to a non-filtered internal email system., but should wait for the primary to come back up

it does

That way any filtering on the primary is also used if spammers use the secondary to deliver, mail continues to be delivered as normal, with no other changes.

there is a change, the sending host is now one that you can't blacklist. if the mail gets sent to the primary directly then it can look up the IP of the sending server in a dns blacklist.

dave

Re:secondary MX forwards to primary MX

[martin]

yes blacklisting gets broke, given the current problem with RBL's....

Also RBL's should NOT be the only mechanism for spam blocking anyhow, you need a complete set of things: including whitelists, blacklists (homegrown or provided), baysian, simple text, virus filters.......an of course a policy to police the whole thing.

What I did

[Cheeze]

I was doing something like this for customers:

system:
virus/spam scanners --> mail system
dns:
MX 30 backupmx.domain.com
MX 20 virus/spam scanners
MX 10 mail system

and we were getting tons of undeliverable mail for our customer's domains at the 20 and 30 MX entries.

There was no reason to even bother with the backup solution since the virus/spam scanners would just queue it up anyways, so we now set it up like this:

system:
virus/spam scanners --> mail system
dns:
MX 10 virus/spam scanners

and then have the virus/spam scanners process every piece of e-mail and queue it if it cannot deliver to the mail system. We use qmail and smtproutes to move the mail to their server. If their server is down, it just stays queued up.

Dictionary Spam Volume Problems with Secondaries

This is my personal opinion, not that of the ISP I work for. The names have been changed to protect the innocent. And it wasn't my account, it was one of my co-workers', or, as Vlad Taltos would say, "I don't do 'work'.... but I have a friend who does."

We offer secondary MX mail relay service to our customers, intended as a low-cost backup service. Spam filtering is available, mainly intended for people who use us as their primary email service, and most of the secondary customers have their own spam filters that they like to tune for themselves, so they haven't been using ours. There are some things it can't do directly, like detect whether an email username really exists, especially if the customer has an old Exchange server protected behind a spam filter appliance or application-relay-type firewall.

Unfortunately, Dictionary Spam Attacks are really annoying in this model. If the spammer is contacting your mail server directly, and aardvark@example.com, aaron@example.com, etc. don't exist, your mail server will bounce the RCPT TO: and not accept the message, so there's minimal data transfer for the million or billion messages they try to send, maybe 50-100 characters of request and rejection message. However, if the secondary MX server doesn't _know_ that, it'll accept them _all_, complete with each 10KB of blather about how to Make Vi@gra F@$$T!!, and try forward it all to example.com's real mail server.

What's supposed to happen next is that example.com's primary server sees each RCPT TO: and rejects it, leaving us to queue up a bouncegram to YetAnotherForgedFromLine@yahoo.com, so example.com only gets flooded with requests but rejects them at the envelope stage, so their T1 line doesn't get stomped with the message bodies.

Unfortunately, Example.com's spam-filtering appliance also didn't have access to valid-vs-invalid user names, so it had to accept each message, and it couldn't handle the load, because the spammer's zombie farm and our big mail relay system were both a lot bigger than it was, so it collapsed and died. They were able to get it to stay up by rejecting all messages from our mail server, but far more unfortunately, some of Example.com's customers get outgoing mail relay service from us, so that wasn't a stable solution either. So we're turning on spam filtering for them, and if that doesn't keep the load manageable, they'll probably build their own secondary server or something.

Do Broken Third MXs work? or Teergrubes

[billstewart]

OK, ok, so spammers and spam blockers are in an arms race, and this will probably only work for 15 minutes if it gets deployed widely because spammers will change their spamware, but what happens if you give the spammer a broken third MX site? Some obvious ones are:

• A machine that doesn't do SMTP on Port 25, so the connections get rejected.
• Verisign's SiteFinder Email Handler which rejects messages for anybody? (Might as well get _some_ use out of them :-) Their first version would have worked better than the second one - it only rejected individual addresses at the RCPT TO: stage but didn't reject the whole session up front because some popular mailers reject brokenly to that (now it does both; not sure whether the spamware does or not.)
• Your own reject-mailer, which can reject the connection with something more appropriate, like 452 "insufficient system storage - try again later", which has the advantage that if somehow a real user connects to it, their stuff should stay queued until your main mailer is working again. That's also a good place to run a VRFY that will happily claim that any address the spammer wants to test is a correct adddress (or if you're not worried about real mailers using VRFY, only spammers, you can have VRFY respond positively only for user names that don't exist, and negatively for user names that do exist.)

Of course, you can always teergrube the tertiary mailer, letting the sender get bogged down in something that _looks_ like it's accepting their messages, but doing so v....e....r....y.....s....l...ooooo.....wwww....ll lll.....yyyyyyyyy...... and logging connections. (That's also useful if you're seeding the web with spider-bait for harvesters using domain names that have their primary pointing to your teergrube.)