Another milestone has been broken - for the first time ever not a single one of the c. 14,500 attempts to deliver email to our non-preferred MX was legitimate - yes, 100% spam and viruses at the high preference number MX (actually measured at a little over 100% but there is a margin of error of c. 0.2%).

That spawned a very brief discussion the upshot of which was that I speculated on whether I should just turn off the secondary MX and see what happens. After a day or two of thinking about it, I just did it. So, the secondary MX has not been listening here at all since around 6 September.

The interesting thing is that the spam load on the primary MX has not increased significantly, even though the secondary MX is out of action. In other words, this simple action is sufficient to lower the total ratio of email blocked + email filtered + reported spam vs. known good email from where it was at about 67% bad / 33% good to 51% bad / 49% good.

The lesson appears clear - if you can (and I appreciate that there may be very good reasons why you can not), turn off your secondary MX.

For this to work of course, you should still announce a secondary MX in your DNS record - just don't listen on port 25 of that host. Sites that can't turn off the secondary MX could consider announcing another MX with a still higher preference number than that of their real secondary MX to act as a spam decoy.

Real emailers will not be inconvenienced because in the unlikely event that they try to contact the secondary MX, their attempts will simply time out and mail will requeue remotely to be delivered to the primary MX later. And Domino shops can minimise occurrences of this by ensuring there is minimal contention for mail.box - just run a sensible number of mail.boxes on your inbound Domino servers (we have 3).

Category: Domino: Administration
Technorati: Domino: Administration

1. Nathan T. Freeman15/09/2004 14:29:12

Do I occassionally forget to mention that you're my hero? :)

2. Richard Schwartz15/09/2004 14:35:07
Homepage: http://smokey.rhs.com

Do you have an estimate of the bandwidth savings gained through elimination of all the spam attempts aimed at the secondary MX?

-rich

3. Chris Linfoot15/09/2004 15:07:21

Nathan. I am the wind beneath your wings.

Richard, yes. Very small because what is saved over and above what would have been saved anyway is mainly a few thousand DNS lookups (<256 bytes each and typically half that) and a few thousand SMTP handshakes (220, EHLO, 250, MAIL FROM, 554). There is the matter of the few spams that actually make it in that way, but they are too few to have much effect on the overall bandwidth used.

That makes for an aggregate 100-150 bits per second on average, given our volumes. It isn't the bandwidth saving that really makes this worthwhile - but I have no doubt that it is very worthwhile.

4. David15/09/2004 15:36:57

Chris.

Is there a reason why spammers tend to aim for the those? Is it a misunderstanding of the values and they think the higher values are preferred?

5. Chris Linfoot15/09/2004 15:48:25

Could be rule 3 (spammers are stupid), but actually I doubt it.

The reason that spammers deliberately target high preference number MXes is simply that very often these MXes enforce much weaker policies than lower preference number MXes for the same domain.

Often this is because they have been set up as "MX fallback" by a helpful ISP - if your mail server is down, we will accept your email and relay it to you when you are back up. Trouble is the ISP does not (mostly cannot) mirror the security policy of your low preference number MX, and the consequence is that everything gets through.

So not stupidity - base cunning would be my diagnosis.

6. Eric Parsons15/09/2004 18:14:39
Homepage: http://www.startingblockcomputing.com

Okay, just a bit of clarification, (and you are a god in this arena, but don't let that go to your head...)

Are you turning off the SMTP service on that host, or are you removing the MX record from DNS? Not knowing if you host DNS for your domain, I'll mention here that (Large ISP, read $$$ for everything) carries our DNS, and I would see it better to leave the record, and turn off the SMTP service. Should the day come (HD crash, whatever) that we need to accept mail there, it's a simple "load smtp" at that server.

7. Chris Linfoot15/09/2004 18:53:33

This only works if you don't delete the secondary MX record.

Then, should you need the secondary MX (prmary is down for maintenance perhaps), just "load SMTP" at the secondary server.

8. hi21/10/2004 04:48:56

I like Smiles

9. Chris Linfoot21/10/2004 08:54:30

Smiles have their uses - yours may not be the most effective one

10. Durga Prasad21/08/2005 11:18:08

This question may be slightly relavent here.
suppose i have a lotus domino server in my head office and a secondary lotus domino just to act as a secondary MX server in a remote regional office do i need to create all the users on the secondary MX server. Is there any documentation on setting up a secondary lotus server? how is the security implemented.
regards
durga prasad

11. Chris Linfoot22/08/2005 09:01:33

Register the second server in the same Domino domain as the first and replicate the address book between the two. No need to use the second server as secondary MX, but if you do then it could receive email for any user at either location. Notes/Domino mail routing would then handle final delivery.

12. Durga Prasad15/10/2005 18:01:22

Hi,
thanks for your comments. but my requirement is like this. I have a first site of lotus domino. users are using notes client, webmail, pop3 etc to check their mails.
now i have planned a remote secondary site of domino. (to work as secondary MX).
if site 1 is down (somewhat common in our remote site) - site 2 should be able to receive mails only for users in the addressbook.
Then users should be able to check and send mails through the 2nd site also. once the site 1 is up the first site should pull mails from the second site to the 1st site.
am i asking for too much? - requirement is for both sites to be able to send mails. I know that some mail servers may not accept mails from secondary MX servers. some suggestions are very welcome.
regards
durga prasad

13. Chris Linfoot19/10/2005 16:22:08

"I know that some mail servers may not accept mails from secondary MX servers."

Not in my experience. MX is not an indicator of where a message might originate, it is there purely to facilitate the delivery of inbound email and has nothing to do with outbound transmission.

No sensible site would refuse email that appeared to originate at a non-preferred MX for a domain. In fact no-one would check an MX record for an inbound email. Like I said - that's not what MX is for.

14. devender singh22/02/2006 08:43:11

Hi,

i am devendr singh, i want to setup an additional lotus domino server.
the scenarion is like this , at our HO we have a lotus domino server and all the other location which are far away from the location have to access that server, which is very very time taking process and the comsumption is very hign in this , by which my other applications get slow down.

is there any way to setup additional domino server , the local user works faster and the bandwidth comsumption is low and the replication will be on some specified time intervals.

Any suggestions or documentation over this.
Thanks

15. Chris Linfoot22/02/2006 09:13:50

Yes it is very easy to set up an additional Domino server in the same domain and to schedule routing and replication between it and your other server. It is also well documented in Lotus' own administration help. I suggest you look there first.

Unable to post a comment? Please read this for a possible explanation...