DNSRBL stats for May 2003 (risk of abuse of secondary MX)
Spotted this phenomenon quite some while ago and posted to LDD about it at the time.Now that I have the analysis and reporting down to a well tuned procedure that takes only a few minutes to generate the sort of charts you see to the right here, this affords an opportunity to delve a little deeper into such matters.
We operate two MXes for most of our domains. These have preference numbers 10 (call it host A) and 100 (call it host B) respectively.
So, in the ordinary run of things, you would expect to see roughly 1/10 of the inbound SMTP traffic at host B compared to host A. Indeed, just counting the total number of SMTP sessions (successful or otherwise), the ratio is in that ball park (with some generous rounding).
Now, look at the detail.
- Based on probability alone, the number of emails succesfully delivered to host B is 1/10 what it should be:
- Based on probability alone, the number of rejections due to 550 (no such user) and 554 (DNSBL: Spamhausen) is more or less exactly what it should be:
- Based on probability alone, the number of rejections due to 554 (locally blocked), 554 (DNSBL: Spamcop) and 554 (sender domain is forged) is double what it should be:
- Based on probability alone, the number of rejections due to 554 (DNSBL: Abuse) is fully three times what it should be:
- And based on probability alone, the number of rejections due to 554 (attempted third party relay) is more than five times what it should be:
Draw your own conclusions, but it seems apparent that when people are seeking out resources to exploit, they more often try the metaphorical back door than the front door. The moral is clear - don't concentrate your security efforts on the front door alone; make the back door as secure as the front one.
Category: Spam Statistics
Technorati: Spam Statistics
1. Maria Helm25/06/2003 15:20:07
Chris,
Followed your link from LDD. I was intrigued by your posting "DNSRBL stats for May 2003 (risk of abuse of secondary MX)" as I have the same suspicion.
Question: You made the comment: "We operate two MXes for most of our domains. These have preference numbers 10 (call it host A) and 100 (call it host B) respectively...So, in the ordinary run of things, you would expect to see roughly 1/10 of the inbound SMTP traffic at host B compared to host A."
This seems to imply that mail delivery allocates a certain percentage (based on MX weight) of connections to the secondary MX record, (regardless of failure to deliver to primary).
Is this the case, and if so do you have any supporting documentation other than your own findings? I'd like to use this information to support a project for upgrading our backup mail server's anti-virus/filtering service.
2. Chris Linfoot25/06/2003 15:37:46
Homepage: http://chris-linfoot.net
These numbers indicate the "routing cost" to route mail via these hosts. This is not a real cost of course, but it is intended to ensure that users will generally try the lowest cost route first.
With a very small sample of inbound traffic, you will find that virtually all will come via the lower preference number MX.
However as the sample size increases, the number of hosts connecting via the higher cost MX will increase and as the traffic level increases it is statistically likely that the proportion of mail routed via the MXes will approach a similar ratio to the ratio of the MX preference numbers, all other factors being equal.
Our hosts are nowhere near that busy yet, so a ratio of 10:1 is not really what I would have expected, nor what I got. The ratio was actually nearer 6% (which is what I meant by generous rounding).
HTH 
Unable to post a comment? Please read this for a possible explanation...
- 
