Do I really need an MX record? (for e-mail to work)

Kurt Boyack kboyack at gmail.com
Fri Dec 23 20:17:35 UTC 2005


On 23 Dec 2005 09:58:26 -0800, sm5w2 at hotmail.com <sm5w2 at hotmail.com> wrote:
> Kurt Boyack wrote:
>
> > I've put up many mail servers, and the spammers usually find them long
> > before they have MX records
> > They scan IP addresses and look for hosts listening on port
> > 25, then they start sending spam and trying to relay.
>
> I don't believe that most spam is sent the way you describe.

I did not say that most spam was sent that way, but I know for a fact
that some of it is.

> I believe that spammers have lists of e-mail (millions of addresses)
> some verified, many probably aren't (but probably were once valid
> addresses).  These lists just keep getting bigger, addresses harvested
> from various web sources, etc.
>
> It would be insane to scan an IP block for a responding NNTP server,
> and then try to fire off spam to that server without even knowing what
> domain that server was handling, let alone getting the user names
> right.  The server would be rejecting the attempts left and right.

There are people out there scanning IP addresses all day long. They
are constantly looking for computers to hack and mail servers to relay
off of.

> > It sounds like the reason you are getting less spam is not due to your
> > MX going away, but due to your IP address changing. It is only a matter
> > of time before your mail server is found by spammers.
>
> I believe that most spam is sent by home computers (zombies) infected
> by back-door trojan services that allow spammers to up-load lists of
> e-mail addresses and e-mail payloads to those machines which then begin
> a spam campaign or spam run.

How do you think they found these computers? Through MX records?

> The way I see it, zombies either send e-mail through the out-going SMTP
> server belonging to the ISP to which the zombie has access to, or the
> zombie sends it directly to the recipient's server (direct-to-mx).  If
> it is direct-to-mx, then either (a) the zombie must perform the mx
> lookups itself (which may be blocked by the ISP), or (b) the recipient
> list that is uploaded by the spammer includes the mx lookup information
> already (in which case it might be old information that is rarely
> updated - which is a good thing in my case).

So you are saying that they cannot send you spam because you do not
have an MX record? I thought you said that you were able to get email
without an MX record?

> The logical thing for the spammer to do is to make the communication
> with the zombie as innocuous and short as possible, and make the
> operation of the zombie as quick and efficient as possible during the
> spam run.  In that regard, a single payload transfered to the zombie
> (containing the entire e-mail list, IP of destination server, and
> payload) runs a low risk of being caught by network admins or equipment
> that monitor suspicious behavior.  And when the spam run begins, the
> lack of performing MX lookups also reduces vulnerability to detection
> of the zombie (and the run is performed faster).

This makes no sense.

> Port scanning is easily detected by ISP's and I doubt very much that a
> spam-zombie would do this.

There are no laws against port scanning and it is done constantly.

> Your comment about the reduction in spam because of IP changing is
> certainly possible (as described in case b above).  I would love to
> read more about the general details about how spammers and zombies
> intereract with each other, and whether or not zombies really do have
> to perform MX lookups themselves (and what do they do if there is no MX
> record) or if the IP of the recipient's server is given to the zombie
> by the spammer.

They could also get your IP from the A record on your domain, or by
running a port scan.

> > I think having an MX record is a good idea.
>
> So do I, but until I see evidence that some (or any) legit e-mail is
> not making it to us, I will continue to leave our MX record
> un-configured.  The payoff in a 75-80% reduction in spam is just too
> useful to us as this point.  I can now forward e-mail from our sales
> and support accounts to others within our organization vs having to
> wade through the junk myself and pick out the good e-mails.

How would you know if a customer cannot send you an email message?
There could be people out there trying to send email to your company.
If they don't write a letter or call you, you would never know. If
they cannot send you an email, they may decide to do business
elsewhere.



More information about the bind-users mailing list