Message Board

Newbie/Basic Questions

Older Posts ]   [ Newer Posts ]
 Isn't mxmailer.com easy to filter?
Author: S.Wehner   (14 Jan 05 7:39pm)
I just donated about three subdomain's. I was given record values for the MX fields that all ended in mxmailer.com.

Wouldn't it be easy to check for these entries before sending spam to an email address?

Or even just the ip adresses of honeypot's email servers?

Stephan
 
 Re: Isn't mxmailer.com easy to filter?
Author: D.Collin2   (16 Jan 05 5:01pm)
Furthermore, a bot could be trained to avoid going to see some withdrawal.php...

But actually, spammers will not filter out those things, just because it'd slow down their process alot... Because if they filter mxmailer.com, they probably will need to filter other servers...
 
 Re: Isn't mxmailer.com easy to filter?
Author: M.Prince   (16 Jan 05 5:47pm)
I'm not too worried about filtering on the name of the script since it's randomized for every installation. S.Wehner's question is a bit trickier and something I do worry about. I think a limited number of IPs for our mail servers and a limited number of places where we have our users point their MX records is potentially our Achilles heel. On the other hand, we're thinking about how to solve this problem and may actually be able to turn it into a feature.

What do I mean by that? Part of the power spammers have is their ability to send indiscriminately. Filter developers have a much trickier challenge. They must differentiate between legitimate and illegitimate mail messages. Spammers get to play offense all the time, we're stuck playing defense.

Project Honey Pot turns the tables somewhat. While there may be ways for spammers to recognize and filter out our addresses and honey pot pages, it means that they will have to question and eliminate some addresses from their database. The minute we've got spammers doing that is the minute we begin to take the strong position in the arms race.

For example, imagine that every Project Honey Pot spamtrap address contained the following string of characters:

HPOT

While it would be easy for spammers to filter out the spamtrap email addresses, it would also introduce a potential way for regular addresses to avoid spam: simply include "HPOT" somewhere in them. Translated to your specific question, imagine spammers begin filtering on the domains we tell people to point their donated MXs to. Maybe then we'll allow our members to pass their legitimate mail through the same MX records.

The limited number of IP addresses we have access to for our mail servers also presents a problem, and again, potentially, an opportunity. For example, we could approach a company like Akamai, which maintains a HUGE private network and wide variety of what are, essentially, relay servers. Most of Akamai's traffic comes downstream. Maybe they'd be willing to obscrure the location of our mail servers by hiding them within their private network, and suddently create what would appear like a virtually unlimited number of mail server IPs.

What could we provide them in exchange? Maybe our list of known harvester IPs so they can prevent them from ever accessing their customer's websites. I don't know if they'd go for it, but if anyone knows anyone at Akamai or any of the other large proxy network operators, please don't hesitate to put them in contact with us.

There are a number of other potential solutions to this problem we're exploring. You might want to check out another thread discussing this same issue on our boards:

http://www.projecthoneypot.org/board/read.php?f=4&i=4&t=4

I think we have at least a few months where we're safe because spammers will simply ignore us. But the day that the FBI breaks down a spammer's door based on information gathered from our system is the day we'll need to have our plan to foil the defensive techniques spammers try to thwart our system. We welcome ANY suggestions.
 
 Re: Isn't mxmailer.com easy to filter?
Author: D.Tetreault   (19 Jan 05 4:32am)
Why not solicit email forwarding donations (using aliases)? Wouldn't aliases forwarded to your mail server provide an unlimited supply of undetectable targets?
 
 Re: Isn't mxmailer.com easy to filter?
Author: A.Hedges   (19 Jan 05 10:37am)
How about adding an A record donation scheme to. That way spammers whould have to perform 2 lookups to find out if the ipaddress belonged to this project. Anything to slow these idiots down.
 
 Re: Isn't mxmailer.com easy to filter?
Author: R.Allard   (21 Jan 05 5:20am)
What about giving a mail server along with a domain name. You could just forward mails sent to the given domain name to mxmailer.com. So if I give a mail server for this purpose and spammers figure out that they should filter al mails going to may mailserver, that would be really cool, as I won't receive any spam on all other domains I host on this mailserver.
 
 Re: Isn't mxmailer.com easy to filter?
Author: N.Jackson   (23 Jan 05 2:46pm)
Why not allow people with their own dedicated servers (there must be a few of them around) to run mail relays specially designed by Project Honey Pot. So you can donate a mailserver IP or domain, and that is added to the pool of addresses that MX records can point to. The relay either bounces the mails to a HoneyPot mailserver, or does its own collating and stats then 'checks in' with a master server every so often.
 
 Re: Isn't mxmailer.com easy to filter?
Author: R.Vetterberg   (27 Jan 05 8:50am)
I like the idea of being able to donate not only a domain, but also a relay server.
I could easily setup 3 or 4 mx pointers to servers that could collect all mail sent to certain domains and forward them to mxmailer or wherever the project wants me to forward them.
As said above, not only would this help the project, it would also make me a target spammers would avoid once they figure things out. :)
 
 Re: Isn't mxmailer.com easy to filter?
Author: C.Kruslicky   (30 Jan 05 4:41pm)
I'm in the 'donate a relay' camp as well, but it does bring up a whole new issue of trust (in the people running the relays). I had thought that maybe a proxy of some sort would be better, but then various antispoofing filters would probably break connections. Likewise I can think of ways to do a sort of port forwarding through a tunnel back to the mxmailer servers, but that doesn't mean the team there would trust the data they got =)

I imagine that's why the thought of using mxmailers as relays was mentioned, but that brings up a whole slew of concerns on the other end.

(edited for spelling)

Post Edited (6 Feb 05 10:07am)
 
 Re: Isn't mxmailer.com easy to filter?
Author: J.Coghill   (3 Feb 05 12:49pm)
I may be totally clueless in how email server addresses are resolved, as I do not really know how the waters flow in that end of the stream.

But...

If a spammer were to filter "mxmailer.com", would mail being sent to email.chaoszen.com be filtered also when the MX record redirects (points to) "mxmailer.com"?

My assumption (though I am only guessing here) is that it would work much the same as HTTP DNS redirection as an alias to the mailserver. If a spammer where to send mail to email.chaoszen.com, when, where and how, would it know to filter that address?
 
 Re: Isn't mxmailer.com easy to filter?
Author: R.Vetterberg   (9 Feb 05 7:37am)
If someone sends a mail to email.chaoszen.com, the MTA will do a dns query to find the mx pointer for this domain. If the mx resolvs to mxmailer.com it would be a trivial thing to configure the MTA to just drop the mail.

You can try it yourself, every os with some selfrespect has a nslookup utility.
ie 'nslookup -q=mx domain.com' will show you where email will be delivered for domain.com.
 
 Re: Isn't mxmailer.com easy to filter?
Author: W.Van Der Beke   (28 Apr 05 3:23pm)
if you reach the number mx29.mxmailer would be mine :)
 
 Re: Isn't mxmailer.com easy to filter?
Author: H.Martin   (1 Oct 05 12:33pm)
No one has said it explicitly and one or two have asked (presumably more have wondered) so here is the obvoius methods a spammer would use to "filter" mxmailer.com:

1) Filter SENDING mail to any addresses that requires making a connection to an mxmailer.com SMTP server.

a) Advantage: Trivial to do since the spamware already has to act as an MTA or MUA at least.

b) Disadvantage: makes it hard to use open relays/open proxies (see below)

2) Build their bulk mail software with it's own DNS resolver that never queries for the mxmailer zone or any machine in that zone.

a) Advantage is that the DNS query is never submitted so even that cannot be recorded (perhaps to identify spambots) AND that the spamware can continue on to the next presumably valid email address.

b) Disadvantage: It is (a little) more trouble to build in a DNS resolver than just to use the one on every Internet machine, but the source code is well-known and available on the Internet in packages (freely available) like Dig and the Perl Net::DNS.

Both methods suffer from the following disadvantage: must control (build/install) the spamming software which partially eliminates the use of open relays and such OR requires the pre-filtering of the list before the list is given to spambots or sent to an open relay/open proxy.

Any such pre-filtering might give away the spammers real IP or require futher botware and or "cutouts" to protect his identify.

BTW, I like the idea of donating an MX -- what sort of volume are we talking?

We have our spam down to roughly ZERO percent, even in the "spam catch accounts" so I would actually have to LET IT IN though. I now consider it a false negative if a spam even makes it INTO our server, much less to a real user.

Does the projecthoneypot run a Real-Time Blacklist (or feed one)? I don't see how we are going to USE THE POT to stop more spam?

--
Herb
HerbM@LearnQuick.Com
(My email is known and we now filter successfully so posting my address is not a risk.)



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–25, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email