![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
I made up a new way of blocking spam: MTX records
http://www.chaosreigns.com/mtx/
MTX records are just DNS A records on your DNS server stating that an IP is a legitimate mail transmitter.
There is a SpamAssassin plugin for it on that page.
MTX records are just DNS A records on your DNS server stating that an IP is a legitimate mail transmitter.
There is a SpamAssassin plugin for it on that page.
no subject
# cat mail.log.0 | grep reject: | awk '{print $10}' | grep -v '^unknown\[' | cut -d'[' -f1 | head
cable200-116-4-57.epm.net.co
cable200-116-4-57.epm.net.co
stgt-5d841c43.pool.mediaWays.net
cable200-116-4-57.epm.net.co
201-68-227-171.dsl.telesp.net.br
ppp-124-120-118-226.revip2.asianet.co.th
201-68-211-174.dsl.telesp.net.br
33-21-135-95.pool.ukrtel.net
109-184-4-179.dynamic.mts-nn.ru
cable-94-189-198-185.dynamic.sbb.rs
(Just because you're the most annoying about this, I used cat because I've been switching between how many files I'm running through grep.)
Also, in cases where an MTX validating domain sends both legit mail and spam, I plan to provide the ability to blacklist so that it only negates the bonus for using MTX, so in that case the net effect is 0. Or whatever you want it to be for that domain.
So for:
Most spamming hosts: The owner creates no MTX record = SA penalty
Most legit mail servers: The owner creates an MTX record = SA bonus
Hosts which send both spam and non-spam: The owner creates an MTX record, and a blacklist is used to negate the bonux = SA score 0
Spammers using MTX: Major penalty for blacklisting.
Legit servers without MTX: With no MTX record = SA penalty, starting at 0 and raising gradually as adoption spreads.
So spammers are actually better off not using MTX, because the penalty for getting blacklisted is worse than the penalty for not having the record. Also, MTX records allow the spam to be associated with their domain, and therefore registrar, who can then be subpoened for the spammer's identity.
no subject
DNSWL's big weakness (centralization) is also its big advantage: They vet the entries on the list, at least somewhat, and assign a trustworthiness rating, and if one of IPs on the list starts spamming, it gets removed (and probably placed on at least one of several DNSBLs). (I myself am using my own blacklist, DNSWL, bl.spamcop.net, psbl.surriel.com, and cbl.abuseat.org.)
no subject
were user unknown or non-FQDN helo.
My point is that a blacklist of MTX abusers should be much easier to keep up to date than, for example, the DUL or zen.spamhaus.org. Less work, more up to date, more accurate.
That is certainly an important advantage of DNSWL, one that I mention in the new "Comparisons" section :)
But I assure you, that list is a pain in the ass to maintain. Speaking as a long time admin of it, and probably the person who introduced you to it. You might be interested in reading http://www.chaosreigns.com/mtx/background/ if you haven't.
no subject
Besides spammers creating their own MTX records and every email admin in the world needing to maintain their own MTX blacklist, I don't hold out high hopes for people creating MTX records. If my own electric company and dice.com can't configure their mail servers with a proper hostname (thereby getting caught by Postfix's reject_unknown_helo_hostname, which I've had to temporarily remove from time to time, and that I've removed for the time being due to job hunting), I can't see that many people creating MTX records.
Hell, I think the only reason people create MX records to begin with is so that mail doesn't go to what is usually their main web server(s) and so that they can have a backup mail server to receive incoming messages in the event the main server goes down. SPF isn't faring very well, either; between people that haven't heard of it and people that refuse to use it, and people that don't bother using it, it's not getting very far.
no subject
I think SPF is doing pretty well. Many large entities are using it, including gmail, AOL, and hotmail. And that's in spite of the forwarding breakage which a bunch of people are very emotionally opposed to creating SPF records because of. When I went looking for major sites using SPF, I had no difficulty:
http://www.chaosreigns.com/spam/#spf_users
And honestly, I think MTX is easier to understand and implement than a valid helo. How many people understand the terms "helo" vs. "whitelist"? When I very recently created an SPF record for my helo, since SA is checking those now, it took me a little while to figure out what HELO my server was actually sending. It was the obvious one, and defined in a pretty obvious place, but still not instant to confirm. And dice.com does have an SPF record.
And I think simplicity is a significant advantage for MTX over SPF. One mail server, one extra DNS A record. The entire protocol can be specified in one line. Have you seen the spec for SPF, or some of the crazy stuff they come up with in records?
I really don't think there will be many spammers who use MTX, because from the start it comes with blacklisting. Hell, I should state that as a rule for implementations (done). And if they do, a public centralized and very small MTX specific blacklist will be created for those who don't wish to maintain their own. I have considered the possibility that such a thing might be necessary for wide spread adoption, even if there are no spammers using MTX. But still I think MTX has the advantage of not depending on centralized authority because I believe a blacklist will be easy enough for one person to maintain.
Also, most importantly, I benefit from MTX now. I catch more spams (score MTX_FAIL 2), and if I get a false positive, the sender gets informed, and has the possibility of doing something to fix it.
no subject
(BTW, the #spf_users tag on that link didn't work. You have it as an 'id' attribute to an h2 tag, whereas you need an <a name="spf_users"> tag. I'm using Firefox 3.5 on Linux.)
I've not looked at the spec for SPF, but the record itself is ugly, I agree. Fortunately, they have a CGI script that will generate the record for you. ;-)
Really, if you don't know what a 'helo' is, you shouldn't be running a mail server, IMNSHO. I think that "Hello, my name is _____" is a pretty simple concept for people to understand, anyway. "You have to give me a real name that I can look up" is pretty simple, too, and yet people still get it wrong.
And while dice.com does have an SPF record, it doesn't help if you're requiring mail servers to tell you a real name that you can look up, and they're not properly identifying themselves:
Feb 6 13:33:08 dr-evil postfix/smtpd[14286]: NOQUEUE: reject: RCPT from mailbox51.dice.com[65.198.147.51]: 450 4.7.1 <colomailbox.dice.com>: Helo command rejected: Host not found; from=<support@dice.com> to=<my@ddre.ss> proto=ESMTP helo=<colomailbox.dice.com>
That was my point. If people can't even get the hostnames they're using for their mail servers in DNS properly now, why would they create extra records? (I no longer have the log entries, but my electric company was using srp.gov, which doesn't exist, instead of srpnet.com. I don't think "Set your hostname to something that can be looked up" is too onerous of a rule, either. They (the electric company, not Dice) have since fixed it, probably in part because I was just bouncing their mail after I temporarily allowed their signup confirmation message in.)
As for catching more spam, I would be interested to know if it has improved your accuracy rate. I can create a regex that will reliably catch 100% of spam. Here it is: /./
I'm still working on the false positives, though. ;-)
Anyway, I realize that it hasn't even been a week, but since you've stated that you're catching more spam with it now, I'm interested in the particulars behind that claim. (In my opinion just "catching more spam" isn't enough; "improving accuracy" is the goal, and the false positives you mentioned concern me a little.) Has it actually improved your accuracy rate? Is the rate different than if you had merely penalized every email by the same amount, or if you had lowered the SA threshold by the same amount? Do you know if there are any other domains with MTX records besides yours and mine?
Sorry if I come across as overly negative; I just don't see a significant benefit (although there's obviously no harm by creating the record, which is why I went ahead and did it).
no subject
I highly doubt the SPF CGI script will generate the ugly SPF records I've seen. And I suspect they're ugly out of necessity.
I pointed out that dice.com has an SPF record only because you gave it as an example of someone too incompetent to provide a valid helo, and therefore, I think, unlikely to create an MTX record.
Obviously, MTX has increased my accuracy rate for spam, while decreasing accuracy for non-spam. Overall accuracy isn't really worth comparing, I think. But the part that matters to me is that the cases where I'm decreasing accuracy with false positives, I'm notifying the sender and giving them a way to fix it.
I'm sure the current effect is statistically very similar to giving all emails an extra +2. The difference, as I said, is the notification, and ability to fix it.
I don't mind your negativity, I appreciate the additional analysis.
And I've gotten quite a lot more negativity than from you. It is apparently common for people to think that they came up with a new and useful method for dealing with spam. They're almost always wrong. It shows in the responses.
no subject