Project tarbaby

From Computer Tyme Support Wiki

(Difference between revisions)
Jump to: navigation, search
(Setting up your MX records to use Project Tarbaby)
(Setting up your MX records to use Project Tarbaby)
Line 27: Line 27:
And that's all you have to do.
And that's all you have to do.
 +
 +
== Additional Technical Details ==
 +
 +
Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.
 +
 +
== Why are we doing this for free? ==
 +
 +
Because it helps us at [http://www.junkemailfilter.com Junk Email Filter] build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. So this is win/win.

Revision as of 15:04, 18 August 2008

Contents

What is Project Tarbaby?

Project Tarbaby helps you reduce spam and helps us build our blacklist. This is done by adding a fake MX record to your existing MX lists. The fake MX record will be your highest numbered MX and it will point to one of our servers. We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method.

How Project Tarbaby Works

Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.

Generally real messages would never hit this server, but if all your servers are down there is still no harm done. We can tell the difference between real email and virus infected spam bots. Although some spam bots are missed, there are no false positives.

How much spam will be eliminated using TarBaby?

That depends on how much of your spam come from virus infected spam bots. This has no effect on spam comping from Google, Yahoo, or Hotmail. But it might eliminate 40% of your virus infected spam bot spam just using the fake MX record and if you also use the blacklist you might get more than 80% spam reduction in spam bot spam.

Setting up your MX records to use Project Tarbaby

Lets assume you have two MX records now and that your domain is example.com. Your MX might look like this.

mail.example.com 10
backup.example.com 20

What you would do is add a third MX record as follows:

mail.example.com 10
backup.example.com 20
tarbaby.junkemailfilter.com 30

And that's all you have to do.

Additional Technical Details

Virus infected spam bots are optimized for delivering as much spam as possible. So after sending email they don't wait around and politely close the connection the way normal email servers do. They just leave it open and let it time out. To be polite would be a waste of time and bandwidth. And this is especially true with a few well timed response delays that would slow them down if they played by the rules. What we look for is the lack of using the QUIT command. So if they are on a high numbered MX that generally they should not be sending to AND they don't issue QUIT, and they commit a few other sins that we track we can usually identify them on the first attempt without false positives. This method has proven to be very effective in quickly identifying virus infected spam bots and getting them listed in 2 minutes from the spam attempt.

Why are we doing this for free?

Because it helps us at Junk Email Filter build a larger list. It help us block spam in our front end spam filtering operation making for happier customers. We also sell rsync access to our lists and it makes our lists more valuable. And if you like the results from this free service you might want to buy our full service. So this is win/win.

Personal tools