Project tarbaby

From Computer Tyme Support Wiki

Jump to: navigation, search

Contents

What is Project Tarbaby?

Project Tarbaby helps you reduce spam and helps us at Junk Email Filter build our blacklist. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method. Here's what a connection to tarbaby looks like:

helo example.com
250 tarbaby.junkemailfilter.com Hello mail.example.com [1.2.3.4]
mail from:<spammer@spamdomain.com>
250 OK
rcpt to:you@yourdomain.com
250 Accepted
data
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com
quit
221 tarbaby.junkemailfilter.com closing connection

How Project Tarbaby Works

Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.

Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.

How much spam will be eliminated using TarBaby?

That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.

Setting up your MX records to use Project Tarbaby

Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.

mail.example.com 10
backup.example.com 20

What you would do is add a third MX record as follows:

mail.example.com 10
backup.example.com 20
tarbaby.junkemailfilter.com 30

And that's all you have to do.

Using Tarbaby with Dead Domains

Do you have dead domains that still get a lot of spam? We are interested in harvesting them as well. If your domain is dead, especially if it's been dead for some time then you can help us build our blacklist by pointing your dead domain to our tarbaby server. Just set your MX record as follows:

tarbaby.junkemailfilter.com 10

If we detect that tarbaby.junkemailfilter.com is your lowest MX record we will reject the email with a 550 response. This lets innocent email such as old email lists be cleanly rejected. And we are careful not to list any false positives.

Additional Technical Details

Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.

Punishing Spammers

We also put in significant delays at each stage of the SMTP transaction (a few seconds) that tends to trip up and slow down spam bots. This keeps their connections open longer and slows them down making them less effective. It increases accuracy and causes spammers pain.

Why are we doing this for free?

Because it helps us at Junk Email Filter build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. And we just hate spam in general and we get a thrill out of stopping it. So this is win/win.

Feedback

We'd like to hear how well this is working for you and your comments and suggestions. Send your thoughts to support@junkemailfilter.com.

Personal tools