Reducing Spam: MX Records

A quick, easy way to help reduce the amount of spam attempts to your domain is in the use of “bad” MX records. With the correct MX setup, properly-formatted mail servers will still send e-mail to you, while a large portion of spammers will bypass your domain.

First, a quick tutorial. A DNS MX record is a “mail exchanger” record for your domain; it tells mail servers how to send e-mail to your domain. The MX record is set to either your own mail server, or (in the case of smaller domains) your ISP’s mail server. There can be more than one MX record per domain, which is why each MX record contains a number indicating its priority. For example, the MX records for cnn.com are:

cnn.com mail exchanger = 30 lonmail1.turner.com.
cnn.com mail exchanger = 40 hkgmail1.turner.com.
cnn.com mail exchanger = 10 atlmail3.turner.com.
cnn.com mail exchanger = 10 atlmail5.turner.com.
cnn.com mail exchanger = 10 nycmail1.turner.com.

As you can see by the records, any mail server trying to send e-mail to someone@cnn.com needs to connect to the machines “atlmail3.turner.com” or “atlmail5.turner.com” or “nycmail1.turner.com”. If those machines are offline, e-mail should go to “lonmail1.turner.com” and finally, if that machine is down, e-mail should go to “hkgmail1.turner.com”.

Now, many spammers choose to ignore this rule and will instead only attempt to go to one of the MX records and then give up. In our case, if a spammer tried to connect to “atlmail3.turner.com” and it was offline, the spammer would move onto the next spam target and CNN wouldn’t get that piece of spam.

Armed with the knowledge that well-behaved mail servers will always try the next MX record, and many spammers will abandon their attempt, a simple strategy appears: always have the first MX record fail. If the first MX record for your domain always rejects connections, the amount of spam attempts should drop, while legitimate e-mail will still go through.

So, let’s say your e-mail server is located at “mail.yourdomain.com”. Your MX records probably look like:

yourdomain.com mail exchanger = 10 mail.yourdomain.com.

We need to add an MX record that always rejects e-mail connections, like so:

yourdomain.com mail exchanger = 5 badmx.yourdomain.com.
yourdomain.com mail exchanger = 10 mail.yourdomain.com.

(Obviously in this scenario you would need to set up the IP address for “badmx.yourdomain.com” and have it point at a machine that did not have e-mail service on it.)

Now– this will reduce the amount of spam attempts, but many spammers will actually choose the highest priority MX record as the target of their attack. In our case, a spammer will go directly to mail.yourdomain.com without trying badmx.yourdomain.com. To solve this issue, we add a second MX record with a higher priority than your mail server. To revisit our previous example, the MX records would then look like:

yourdomain.com mail exchanger = 5 badmx.yourdomain.com.
yourdomain.com mail exchanger = 10 mail.yourdomain.com.
yourdomain.com mail exchanger = 20 badmx2.yourdomain.com.

This would catch a large amount of spammers, and should still allow valid e-mail servers to send you e-mail.

For smaller domains that don’t have the ability to arbitrarily add or remove hosts but can still make changes to their DNS, Heluna offers two MX records that perform exactly this function. “reject1.heluna.com” and “reject2.heluna.com” both refuse any e-mail connections, so your list of MX records can look like so:

yourdomain.com mail exchanger = 5 reject1.heluna.com.
yourdomain.com mail exchanger = 10 mail.yourdomain.com.
yourdomain.com mail exchanger = 20 reject2.heluna.com.

Be sure to adjust the records to fit your domain; make sure that one of the Heluna servers is a lower priority than your mail server, and that the other Heluna server is a higher priority than your mail server.

Did this solution help you? Are you using the Heluna reject servers to reduce your incoming spam attempts? Let us know in the comments!