Monday, December 7, 2009

Stop Spam with fake MX records

SkyHi @ Monday, December 07, 2009
My client was suffering from a high volume of spam emails.  He was getting about 150 / day.  Even though our mail server does a pretty good job of moving most of the spam to the spam folder.  Still 30% would end up in the inbox.  Recently I read about a little hack to your DNS records that seems to stop spam in its tracks.  It involves creating multiple MX records that are fake. 

First before I get into how to set this up.  Here is an overview of how spam normally makes it into your mailbox.

1. Spam message is put together on spam server, and waiting to be sent.
2. Spam Server Requests the MX record of your domain.
3. Most domains will have a single MX record, and will return your mail server's info to the spam server
4. Spam server connects with your mail server.
5. Your mail server does any spam checks ( reverse DNS, SPF lookup, RBL checks )
6. Message is accepted or rejected.

The big thing we are giong to focus on is step 2.
Most spam servers will only try to request your MX records once.  For servers that have multiple MX records, they will sometimes check to see if the next one works, but usually the will give up after the first 1 or 2 fail.  They give up because spam servers are dependent on getting as many emails out the door as possible.  If any email or server is giving them trouble they will just give up and move on to the next email in their list.

Legitimate mail servers will try again, and keep trying all MX records until one works.  This is because their messages are setup in a que.  If the first time fails because the receiving server is down temporarily, then it will try again in 15, 30 60 minutes and so forth.  Spam servers can't afford to keep emails in a que.  As this would back up their system and crash their servers. 

So we have just figured out a litmus test for spam servers. If they give up easily they are spam, if not they are legitimate. 

My client that I tested this on was receiving about 150 Spam emails / day.
After setting this up, he only received 4 Spam Emails / day.  That is a 98% reduction in spam.

How to setup your DNS with fake MX records.
First you need access to your DNS records.

Before I setup my DNS in this way my MX records looked like this.

Record Type     Priority          Data
MX                      10              mail.mydomain.com

Previous example is if my domain was "

mydomain.com

", and my mail server was "

mail.mydomain.com

"

Now after creating my fake MX records my DNS MX records look like this

Record Type     Priority          Data
MX                      10              mail10.mydomain.com
MX                      20              mail.mydomain.com
MX                      30              mail30.mydomain.com
MX                      40              mail40.mydomain.com
MX                      50              mail50.mydomain.com
MX                      60              mail60.mydomain.com
MX                      70              mail70.mydomain.com
MX                      80              mail80.mydomain.com
MX                      90              mail90.mydomain.com

In the previous example the only real MX record is the priority 20 one.  The rest are pointing to Subdomains that doen't exist.  You an either point these to something that doesn't exist, or point them to IPs where port 25 is closed.  Make sure if you point this to another IP that port 25 is closed, else legitimate mail servers will get stuck on this Server and try again and again. 

Mail servers will start with the lowest Priority Server,and work its way up.  Some Spam servers will try the Highest Priority one first thinking that the backup servers will be more available.  But padding both above and below our real mail server we effectively waste spammers time, and they move on.  The best part is the requests to the DNS server take very resources, and is very fast.  Your mail server never has to handle the spam requests. 

I can't promise the same kind of results, but in my case it took an email that normally gets 150 spams / day down to 4 spams / day.  Highly recommend every Mail Server Admin use this DNS mod to cut down on spam.