For several years, until the end of June, I self-hosted my e-mail. My ISP, atypically, offers static IP addresses, and I ran my own mail server and had several domains registered here.
Its no surprise I got a lot of spam delivered here, especially through e-mail addresses published for years in articles Ive written.
But I thought when I moved my domains, that would change. At the end of June I moved my domains to a hosting account and the DNS for those domains, including the MX records (which point to the mail servers).
I removed all the domain records from the mail server, but in order to check for errors, I left the server on and logging.
Its more than three weeks later now, and guess what? Mail is still pouring into my server here.
I didnt think it possible, but the whole episode has actually lowered my opinion of spammers. Theyre still at zero Kelvin on the morality scale, but my sense of their competence has taken a beating.
When you send e-mail, for instance to [email protected], at some point a mail transfer agent in the process of delivering your message will look at the “ziffdavis.com” part of it and query DNS to see what the MX record is, and attempt to deliver it to that server.
Exactly how this happens depends on a lot of variables, but I think Ive described the essential parts fairly.
In my case, on June 30 I changed the authoritative DNS for my e-mail domains and set the new DNS to point to a different server. DNS working the way it does, conventional wisdom says that it takes a few days for these changes to replicate out to the Internet as a whole.
Theres also the lesser issue of TTL or Time To Live, which defines the lifetime of a DNS cache entry.
In order to spare DNS servers from constant beatings in times of heavy traffic, clients are designed to cache entries for a period of time defined in the DNS as the TTL. My TTL is one hour, so it couldnt explain a long-term problem.
By the third day, it seemed to me that all the legitimate mail had moved on to the new servers and everything left was nakedly illegitimate.
Every single message sent to my server since then has been rejected with an SMTP 551 error: “User not local. Authentication required for relay.”
So, if none of the DNS out there point back to my home server, why are the spammers still sending to me?
Because the zombies or bots out there sending this mail have been instructed not to follow the SMTP protocol: They dont look up the MX server of the destination address, they have been given a specific IP address of a server to use.
I suppose theres an efficiency in this from one point of view, in that it removes some DNS lookups. And perhaps a bot installed on a broadband client system that performed a large number of MX DNS lookups would look suspicious and perhaps draw attention.
Of course the bursts of mail going out port 25 should also draw attention, but they dont actually seem to often enough.
Looking back at the last few messages, I see not only attempts to send mail to me but several messages from some user somewhere (and undoubtedly a fake from address) to some other user somewhere else, not on my servers. In other words, this message assumes Im an open relay. Im not. I dont think I ever have been.
Incidentally, I have some numbers on the ISPs of the systems sending the traffic to me.
By far the greatest number, 88 out of 337, were on Comcast. 66 were on Road Runner, and 24 on AT&T/SBC. The rest were generally on far-eastern networks.
Its tempting to think that spammers are rational actors and what they do is designed to increase the chances that their e-mail gets delivered, but the fact is that a lot of spammers are stupid about their programming and lazy about maintenance.
What percentage of e-mail traffic on the wire is so broken in this and other ways that it literally has no chance of being delivered? My next column will have more tales of wasted and abusive Internet traffic, and something to do about it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]