Deterring Spammers with Fake MX Records

For the past 48 hours, I've been dealing with a Sendmail server that was shutting down frequently with a load average above 13. The server's getting flooded constantly with spam attempts to non-existent users on more than 100 domains.

I've set up Sendmail to use a virtusertable that rejects every non-valid email address with a "user unknown" error. This is helpful, but Sendmail still has to take the time to reject each spam attempt. Since all but six domains on the server don't receive any mail at all, I wanted to find a way to stop Sendmail from receiving any requests for those domains.

After doing some research, I decided to try setting a fake MX record for the domains that do not send or receive mail. Here's how MX records are set for these domains:

IN MX 10 mail.example.com.

There's no mail server associated with that hostname.

On servers that do exchange email, fake MX records can be used to deter spammers. Most email servers are equipped to deal with mail servers that are unavailable. They queue the outgoing mail and try an alternate mail server, if one has been defined for the domain. Spam software can't take the time to queue an outgoing mail for delivery later because it is sending millions of messages. If it finds a mail server that's unavailable, it gives up and goes on to the next server.

Putting fake servers as the first and last MX record in a domain supposedly discourages spammers without affecting the receipt of legitimate email. Spammers hit the fakes and give up. Legitimate mail servers hit a fake, then try the next option and deliver the mail.

Here's how MX records can be set to achieve this:

IN MX 10 mail1.example.com.
IN MX 20 mail2.example.com.
IN MX 30 mail3.example.com.

The mail1.example.com and mail3.example.com servers are fakes that don't resolve properly. The functioning mail server is at mail2.example.com.

So far, the approach appears to work. Legitimate email is getting through and most domains aren't getting any spam attempts at all.

Comments

Don't you want different, increasing, "pref" fields in your MX records for this purpose? My understanding of MX record format is that since you've set the "pref" field to the same value there (10) for all three records, in fact those three servers will be used in a random order.

Thanks ... that was a typo in my blog entry. The prefs are set to 10, 20 and 30.

A couple of points; one, make sure the domains and hostnames you're using aren't actually registered to someone else (I dunno if you're actually using 'example.com' or not, but I should think the IANA would have something to say about your choice, especially if they're seeing either increased DNS or SMTP traffic as a result. Secondly, it's the rare bot that doesn't cache or deliver separate files containing the MXen for the domains in whatever current list it's hitting, in an attempt to avoid being detected (most end user systems don't do lots of MX lookups, so it's a red flag for proactive ISPs when they see that sort of traffic).

Finally, why are you even providing SMTP service for domains that don't receive mail? Consider using a MX of '.' instead.

I'm using mail.example.com as the fake MX record on domains with no mail service. It does not resolve to a valid IP address. I'm not aware of the traffic implications, but example.com is used everywhere for a multitude of purposes, so my guess is that IANA would not care.

On the domains that do get mail, I'm referring to two fake hosts on my server and one real mail server.

My impression from the Sendmail docs is that if you omit the MX record it will default to the domain name. Since the domains share an IP address with a Sendmail server, that will send mail traffic to my valid mail server.

What does an MX record of "." accomplish?

Good post and discussion. In fact your post got me thinking more about this whole topic so I decided to blog about this myself. Check it out and let me know what you think (sorry it's a tad long, but I think about this stuff pretty much everyday!

www.sendmail.com

It's slightly dated now, but I've found this 2004 presentation by Bill Moran to be an excellent overview of what works in keeping unwanted mail out of your mailserver without rejecting legitimate messages. I would presume that Sendmail has analogs to the various sanity checks described for Postfix. Personally, I've found greylisting to be so effective that I don't need to bother with real-time block lists or content filtering.

The RFCs say that when no MX record is there, the A record shall be used for sending email (or trying to). Historically this was not a problem.

Some people also use a MX record to a host pointing to 127.0.0.1 when they don't expect to receive mail. I would guess that having "." as a MX record would just end up as any invalid host, as "." has no A/AAAA record.

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).