couttsj Posted November 20, 2011 Share Posted November 20, 2011 Most forum users are probably more concerned about reducing spam to their real customer accounts than they are about reducing spam attempts to a non-existent MTA, but I will pass this information on anyway. My problems all started with a very high volume of DNS requests for MX records for a particular domain that no longer supported a mail server. When that record was non-existent, those requests were followed by requests for A records and many subsequent attempts to connect to the A address on port 25. So I introduced an MX record with a non-routable IP address. That was all fine and dandy until Microsoft started bombarding our DNS with thousands upon thousands of requests for MX/A records. I complained and they actually did resolve the issue, but only for 3 months. After it started up again with a vengeance, I loaded a valid MX record and a Pseudo SMTP server that rejected all email requests with a 550 error on the RCPT command. Much to my surprise, the excess DNS traffic suddenly stopped. I can only assume that Microsoft kept searching until it found a real live MTA. Why, I havenâ€™t a clue. Then Yahoo started bombarding our DNS server with type 99 requests, to which I could get no resolution. It just suddenly quit on Nov. 2. The Yahoo DNS traffic was no doubt due to spammers using our domain name for spam attempts to Yahoo customers. So I set about trying to figure out how to discourage spammers from using our domain name. Using the 550 error response following the RCPT command did not do that. From a typical day: 2011/10/21 - 3,586 Connections/3,487 MAIL FROM:s/3,476 RCPT TO:s Basically we see a 1/1/1 relationship. So I modified the Pseudo server to return a 554 error instead of the normal greeting. According to RFC5321, a 554 greeting response is supposed to indicate the server does not receive email, but all it did was make the connection attempts skyrocket. So then I modified the server to return a 553 error on the MAIL command, and this produced some positive results: 2011/10/31 - 976 Connections/7,246 MAIL FROM:s Connections were reduced by a factor of 3, but some spam engines just sent multiple RSETâ€™s followed by different MAIL FROM:â€™s. Reducing the connection timeout from 90 seconds to 30 seconds cut down on the multiple MAIL FROM:â€™s. 2011/11/18 - 623 Connections/1,132 MAIL FROM:s The number of connection attempts continues to decline on a daily basis, so the 553 error (probably any 500 level error) does appear to be achieving the objective. However, it is difficult to say what the impact is on DNS volumes at this point in time. J.A. Coutts Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.