Thousands of ssh probes

Chuck Swiger cswiger at mac.com
Sat Mar 6 14:19:36 UTC 2010 

On Mar 6, 2010, at 4:36 AM, Matthew Seaman wrote:
>>> Having an IPv6-only high-mx seems to terminally confuse most  
>>> spambots...
>>
>> I understand why IPv6 would confuse them, but don't follow why higher
>> numbered MXs would be more attractive to them in the first place?
>>
>> Are they assuming a 'secondary' MX will be more likely to accept  
>> spam?
>
> Yes.  Generally a high-numbered MX is more trusted than the run-of-
> the-mill internet by the actual mail server (lowest numbered MX)[*],  
> so
> forwarding between MXes tends to bypass chunks of anti-spam
> protection.  The high-numbered MX itself is usually a pretty low
> importance system at a location remote from all the rest of the mail
> servers, so it tends to have less effective anti-spam protection.   
> Thus
> spammers ignore the normal MX priority rules and just attempt to  
> inject
> spam through the highest numbered MX, because it is more likely to get
> through.

While this is undoubtedly true in some cases, you're offering too much  
credit to the spammers for other cases.  :-)

There are spambots which simply scan through IPv4 address space trying  
to talk to port 25, and they attempt to deliver the same spam (or some  
template put through an obfuscator which adds random text) to a list  
of usernames, regardless of MX records.  Some try to deliver to  
unqualified addresses (ie, rcpt to: <cswiger>); others do a reverse  
lookup of each address and append the domain name to the addresses.   
It's pretty easy to notice this when you've got a bunch of IPs setup  
on different domains.

Anyway, for personal domains, you can setup teergrubes on both high  
and low numbered MX records, which delay but never accept mail, and  
have your real mailserver in the middle.  Unfortunately, there are so  
many broken SMTP servers out there, which don't retry delivery to all  
MX hosts, that a fair amount of "legitimate" email will be lost-- you  
can't realistically do this for normal users.

> On the whole, I don't see the value in having a high-numbered MX to
> dumbly accept, queue and forward messages like this. It doesn't really
> add any resilience: the SMTP protocol is intrinsically all about store
> and forward, and if a message cannot be delivered immediately, the
> sending side will keep it in a queue for up to 5 days anyhow.

The two main uses are:

1) If your primary MX is where delivery happens, and it goes down or  
is otherwise unavailable for a while, you can do an ETRN against the  
secondary(-ies) and get all of the queued mail relatively immediately  
once you fix the issue.  If you have drastic problems (ie, a box goes  
down permanently and you can't get a replacement up in less than a  
week due to shipping time), you can even have your secondary queue  
email for longer than the default 5 days if that becomes necessary.

2) Domains without permanent network connectivity:

   http://www.postfix.org/ETRN_README.html

Regards,
-- 
-Chuck

More information about the freebsd-questions mailing list