[Leaplist] Nullisting, comments wanted

Bill Anderson bill at noreboots.com
Tue Jan 23 02:25:04 EST 2007 

On Tuesday 23 January 2007 00:06, ray wrote:
> http://www.joreybump.com/code/howto/nolisting.html
>
>
>   Nolisting
>
>
>     Poor Man's Greylisting
>
> ------------------------------------------------------------------------
>
> What is it?
>
>     Nolisting fights spam by specifying a primary MX that is always
>     unavailable.
>
> Is it the same as greylisting?
>
>     No, but it exploits the same noncompliant behaviour of spamware and
>     viruses, including those that spread via internal SMTP engines.
>     Greylisting is an approach promoted and rigorously tested by Evan
>     Harris. It is sensible, RFC-compliant, time-proven, and valuable as
>     one part of a multilayer defense against spam. For more information
>     about greylisting, visit Greylisting: The Next Step in the Spam
>     Control War <http://projects.puremagic.com/greylisting/>.
>
> How does Nolisting work?
>
>     It has been observed that when a domain has both a primary (high
>     priority, low number) and a secondary (low priority, high number) MX
>     record configured in DNS, overall SMTP connections will decrease
>     when the primary MX is unavailable. This decrease is unexpected
>     because RFC 2821 (Simple Mail Transfer Protocol) specifies that a
>     client MUST try and retry each MX address in order, and SHOULD try
>     at least two addresses. It turns out that nearly all violators of
>     this specification exist for the purpose of sending spam or viruses.
>     Nolisting takes advantage of this behaviour by configuring a
>     domain's primary MX record to use an IP address that does not have
>     an active service listening on SMTP port 25. RFC-compliant clients
>     will retry delivery to the secondary MX, which is configured to
>     serve the role normally performed by the primary MX (final delivery,
>     transport rerouting, etc.).
>
> and much more from the above link.  sounds interesting, but could it not
> lead to issues with some ISPs like Earthlink and AOL, who are known for
> being rather stupid in their mail servers?

It is worse than that. RFC compliant MTAs will often tag a destination as 
problematic when a certain percentage of errors is reached in delivery 
attempts. By providing two servers one of which is always "down", you 
increase the chances your domain will be tagged as problematic. As a result 
legitimate mail will be delayed unreasonably. Further, it could possibly get 
you listed on various blacklists as not conforming to specs thus resulting in 
a delay of loss of mail routing for your own sourced mail.

A second issue is that is is quite common for spammers to specifically target 
secondary MX records since in many cases spam filters and controls are *not* 
place don backup mailservers. As a result you could see increased traffic on 
your main server. Yes it should be configured with all the same protections, 
but it is sadly quite common that it is not. So-called "no listing" violates 
at least the spirit of the RFCs if not the letter. Greylisting however, from 
what I recall does not. Even though some legitimate servers will permafail a 
421 soft-bounce.

That said, both in their raw form suffer from the shotgun effect. 
So-called "no listing" is in my opinion a form of dumb greylisting. An 
intelligent system that combines factors such as SPF, domainkeys, history, 
rfc-compiance, etc. in the determination of who to greylist is a better 
route. I am working on one such system. That said I implemented greylisting 
and eliminated literally (as in yes I ran the numbers)  saw a greater than 
90% reduction in spam.

Cheers,
Bill

More information about the Leaplist mailing list