Fight Spam With Nolisting

An anonymous reader writes with the technique of Nolisting, which fights spam by specifying a primary MX that is always unavailable. The page is an extensive FAQ and how-to guide that addressed the objections I immediately came up with. From the article: "It has been observed that when a domain has both a primary (high priority, low number) and a secondary (low priority, high number) MX record configured in DNS, overall SMTP connections will decrease when the primary MX is unavailable. This decrease is unexpected because RFC 2821 (Simple Mail Transfer Protocol) specifies that a client MUST try and retry each MX address in order, and SHOULD try at least two addresses. It turns out that nearly all violators of this specification exist for the purpose of sending spam or viruses. Nolisting takes advantage of this behavior by configuring a domain's primary MX record to use an IP address that does not have an active service listening on SMTP port 25. RFC-compliant clients will retry delivery to the secondary MX, which is configured to serve the role normally performed by the primary MX)."

Oblig.

[Whiney+Mac+Fanboy]

YASIGFINFE (Yet Another Spam Idea Good For Individuals, Not For Everyone) - Spammers will change their techniques to be more RFC compliant as soon as (if) Yahoo, AOL, Hotmail, Gmail adopted this method.

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Oblig.

[AchiIIe]

in response to:
> (x) It will stop spam for two weeks and then we'll be stuck with it

There is another anti spam technology called (doubleverify?), if a message smells like spam the smtp server rejects it saying unavailable and waits for the sender to send it again (an hour or so later). For people who use it it works fine, but people who use it are in the minority, thus spammers won't bother writing new systems that keep track of what was rejected etc. They appeal to the (cheap) masses.

Same here, unless this becomes widely popular few spammers will adopt it. Thus there's a chance for this to work (hopefully, unlike doubleverify this is not patented)

Re:Oblig.

[jon787]

Don't have numbers to back it up, but most things I read say that the Secondary MX is *more* likely to be targeted by spammers on the belief that fewer filters will be in place to prevent spam.

Those statements could be refering to their use as open relays though.

Re:Oblig.

[geminidomino]

If you do business with clients who send $important_financial_information over inherently insecure and unreliable protocols, you have bigger problems than spam.

Re:Oblig.

[dangitman]

No. Email spam was unleashed upon the world by Hormel as a marketing strategy. People just weren't thinking about spam anymore - this has gotten the brand name firmly back in the public's mind. It also has huge kitsch appeal now. Especially as kids grow up who only know of email spam, not SPAM the spiced ham. They'll see SPAM at the supermarket - and say "Look! It's spam that's not spam. OMG! Physical spam! LOLzors, I must buy this to replenish energy lost by playing with my Wii!"

We salute you, Hormel marketing, our spam overlords.

Re:Oblig.

[ArsenneLupin]

Just discard the email. Don't bounce! "Great" piece of advice. That way, in case of a false positive, the sender gets no warning that something is amiss.

Mail should not be silently discarded (except in the most extreme circumstances). Reject it. Rejecting a mail means that the receiving MTA returns an error code (in the 5xx range) to the sending MTA, so that the sending MTA may bounce (which it won't do if it is a zombie, so no scatterback).

Temporary Solution

[PhotoGuy]

This strikes me as the ultimate in temporary solutions. If spam senders *tend* to use only the primary MX record, and people start fighting spam by listing bad primaries, won't the spam senders simply start using secondaries? It almost seems the only way that this approach might be valuable, is if it weren't publicized and posted on /., and one kept it to oneself :)

Short Term Solution

[pyite]

This is not a long term solution.

1) It's bad netiquette, and a lot of people don't like that, including myself and I'm sure many other administrators.
2) It's an artificial "defense" that is easily circumvented because the rule is obvious. It's security through obscurity with the added suck that there is no obscurity.
3) It's solving a symptom and not any of the actual problems (e.g. hosts being compromised to send spam).

Thanks, but I'll pass.

I run a mailserver, this is a bad idea

[Gothmolly]

We get stuff directed at our secondary all the time, despite having a highly available primary. Why? Our secondary is listed at another domain - they do our backup in the case of disaster. I can only assume that spammers hit it thinking that its a 'back door' into the network, perhaps we don't have the same rigorous anti-spam measures there.

Dumb idea. You're better sending all your domain mail to gmail, using their spam filtering, and then pulling it from there.

Won't work.

[schon]

Most spam bots already send to the *lowest* priority MX (ie. the highest number), and work their way backwards, because it's common for the backup MX'es to have lower anti-spam rules.

However, this idea would have been *great* six years ago. Once the developer invents a time machine, he's got the spam problem licked for at least a week!

Some spammers target secondary MX first

[straponego]

...on the assumption that it will be less well-protected than the primary. If many people pull this fake-primary trick, I would assume they'll react quite quickly. This doesn't seem like much of a long-term defense. It looks to me like good defenses will (and do) involve either complex, evolving techniques (think of the p2p/reputation type stuff in razor/pyzor and FuzzyOCR), or hard choices (reject image-heavy messages, whitelist/greylist, etc). No defense, of course, will be perfect.

Based on watching a few corporate spam sites and even stuff which reaches my private, never-posted addresses, *much* of the spam could be eliminated by moving non-Windows clients. I'm not just talking about zombies. Some of the spam I see hits lists of addresses which are valid and include very difficult to guess addresses inside the company. Once somebody inside your company, or a buddy of yours is rooted, your previously private address is out there; I've never had this happen via any route but a Windows user. Of course, people who CC: everybody they know with idiotic crap instead of BCC: make this problem much worse.

Oh, and please stop with the lame form letter responses to these articles. It was cute once, long ago. I know at least five people will have posted them by now. Damn spammers.

That's "greylisting".

[khasim]

"Greylisting" is where an SMTP server refuses messages for a certain amount of time. You set the criteria on why the message would be refused and how long the server would refuse to accept it.

It's been pretty much defeated now because so many spammers have their machines try to hammer the message through until it does go through.

I'm using greylisting right now and the only advantage is that many times a spammer will end up on an RBL during the 15 minutes that I'm refusing his messages.

Remember, the spammers have, effectively, unlimted bandwidth and unlimited processing power at their disposal.

Re:That's "greylisting".

Just an aside on greylisting: I run a large mail server and we WERE using greylisting. However we have found that many firewalls and anti-spam appliances that act as email proxies cannot respond to the 451 or 421 "try again" response used by greylisting. The appliances bounce the message back to the sender reporting it as a server failure. Unfortunately, this user group includes an ever growing number of goverment agencies and public schools. My best guess is that these appliances have no way to store the message should the first attempt at delivery fail.

I sincerely doubt that most of them would ever try more than the primary MX when delivering mail either.

Non-complience with the standards by email handling programs just makes it easier for the spammers by taking away a postmasters anti-spam tools :-(

Re:That's "greylisting".

[RazzleDazzle]

Remember, the spammers have, effectively, unlimted bandwidth and unlimited processing power at their disposal. If the big companies started doing this with OpenBSD's spamd and generating public logs, we could get some seriously entertaining data I am sure.

From the link...

--snip log example--
This spammer got stuck for 47 minutes. Current spamd sets its socket receive buffer size to one character, forcing the sender to send one TCP packet for each byte of data, even if its a non-compliant "dump and disconnect" mailer. Of course, the spammer nearly immediately tries to retransmit the spam. Repeatedly.

Spammers often try secondary MX's.

[khasim]

Spammers will often try secondary (and lower) MX's because there's a good chance that the anti-spam AND ANTI-VIRUS systems on those machines are weaker (read "outdated") than on the primary MX.

The more machines you have to maintain, the more likely you are to focus your efforts on the most critical ones and just let the other slide. Spammers are happy to exploit this.

Yep Funny

[keeboo]

Standard Smartass Form for Comments on SPAM

1. Please select format:
( ) In soviet Russia .... you! Kind of joke
(x) The same old form on spam subject we're tired to see here
( ) Some comment on female parts
( ) Suggesting you/slashdot_readers are virgins
( ) Will it run Linux?
( ) Cowboy Neal

2. Are you:
(x) Meant to be funny
( ) In a bad day, trolling
(x) Being authoritative on this subject
(x) Expecting to be modded up
( ) Agreeing with the news
(x) Trying to piss over something people might think it's interesting or relevant

3. Include "I'll be modded down for this but...."? (Y/N)
No

Thank you for submitting your message to the Slashdot forum.
Slashdot Quick'n'simple Form: The easy way to show people how smart your are!

I run a high volume mailserver, this is a bad idea

[chathamhouse]

I run a mail system that pushes ~3million messages per day. Not huge, not small.

We have thousands of domains pointed to our mail servers and secondary MX servers. Looking at the long run stats, I'd be tempted to completely disregard this technique.

When we take a primary down for maintenance, the secondaries and alternate primaries (same weight MX) see the load almost immediately.

I second the opinion that if this has any effect, it's only for low volume applications, with few/one domain.

We generally see more hits straight to the secondaries by spammers hoping for less rigorous checking. It would be interesting to profile IPs connecting to secondaries without being seen at the primary assuming a primary is always available - I bet that a very high percentage of these connections to secondaries could be viewed as spam.

The problem remains that most tricks of this sort - including greylisting - are eventually circumvented by spammers once the trick gains critical mass. Lets not forget that there are a lot of broken, yet not open relay, mail servers out there. Good engineers and administrators quickly find that Jon Postel's words ring true with their customers "Be liberal in what you accept, and conservative in what you send." - don't let your RFC enforcing configuration be responsible for delaying/blocking the delivery of that big contract your PHB was waiting for!

Spammers IGNORE the MX priority

[IGnatius+T+Foobar]

Sorry, this isn't going to work. It won't even help a little bit. As a long-time email administrator and the author of an email server I can tell you, with absolute certainty, that spammers ignore the priority of your MX records. In fact, they exploit multiple MX's much of the time, by sending spam to your secondary server(s) even if the primary one is up. In addition to extra target capacity, they often manage to take advantage of badly configured secondaries that might not have spam filtering that's as good as the primary, and in many cases the primary has its secondaries whitelisted to make sure no mail gets accidentally dropped.

Re:Address Book

[dgatwood]

Flowchart:

• in addressbook: goto NOTSPAM.
• address present as envelope sender in any incoming mailbox: goto NOTSPAM
• address present as recipient in any outgoing mailbox: goto NOTSPAM
• address has ever been present as envelope sender in any incoming mailbox:
  • at least one of those messages was flagged as spam: goto SPAM
  • none were flagged as spam: goto NOTSPAM
• goto SUSPECT

Re:This is bullshit!

[corbettw]

You need not open your mail, esp. when the subject line is something that you aren't interested;

You need not open your mail to have your resources (bandwidth, disk space, processing power) consumed by spam. I work at a major telecom company running the edge mail servers, along with another full time engineer. Of the 12 million emails we get a day, about 100,000 are legitimate mail. The rest is just spam, and it uses up the bandwidth that could've been resold to customers, it uses up the disk space on the expensive mail servers we bought a few months ago, hell it forced us to buy those expensive new servers in the first place. I figure, just in the extra salary (if not for the spam one guy would be enough to handle the load), having to upgrade perfectly adequate five year old servers, and buying licenses for anti-spam products at four different levels of mail delivery throughout the enterprise just to keep our users from being deluged with useless garbage, the company has spent about $200,000 last year, and will spend about the same amount this year. All because a bunch of asshats want to force our employees to read their idiot advertising, using our network resources to push their message.

That's not free speech, that's theft. And that's never been legal.

Re:MOD PARENT UP +5 THE FUNNAH

[eric76]

The first time I ever saw one of those "forms", I thought it was interesting.

The second time, I thought it was "ho-hum".

After hundreds, maybe even thousands, they are just plain lame.

The only good thing about them is that you instantly know that you can skip over them and not miss anything at all.