Do I really need an MX record? (for e-mail to work)

[sm5w2 at hotmail.com]

Kurt Boyack wrote:

> I've put up many mail servers, and the spammers usually find them long
> before they have MX records
> They scan IP addresses and look for hosts listening on port
> 25, then they start sending spam and trying to relay.

I don't believe that most spam is sent the way you describe.

I believe that spammers have lists of e-mail (millions of addresses)
some verified, many probably aren't (but probably were once valid
addresses).  These lists just keep getting bigger, addresses harvested
from various web sources, etc.

It would be insane to scan an IP block for a responding NNTP server,
and then try to fire off spam to that server without even knowing what
domain that server was handling, let alone getting the user names
right.  The server would be rejecting the attempts left and right.

> It sounds like the reason you are getting less spam is not due to your
> MX going away, but due to your IP address changing. It is only a matter
> of time before your mail server is found by spammers.

I believe that most spam is sent by home computers (zombies) infected
by back-door trojan services that allow spammers to up-load lists of
e-mail addresses and e-mail payloads to those machines which then begin
a spam campaign or spam run.

The way I see it, zombies either send e-mail through the out-going SMTP
server belonging to the ISP to which the zombie has access to, or the
zombie sends it directly to the recipient's server (direct-to-mx).  If
it is direct-to-mx, then either (a) the zombie must perform the mx
lookups itself (which may be blocked by the ISP), or (b) the recipient
list that is uploaded by the spammer includes the mx lookup information
already (in which case it might be old information that is rarely
updated - which is a good thing in my case).

The logical thing for the spammer to do is to make the communication
with the zombie as innocuous and short as possible, and make the
operation of the zombie as quick and efficient as possible during the
spam run.  In that regard, a single payload transfered to the zombie
(containing the entire e-mail list, IP of destination server, and
payload) runs a low risk of being caught by network admins or equipment
that monitor suspicious behavior.  And when the spam run begins, the
lack of performing MX lookups also reduces vulnerability to detection
of the zombie (and the run is performed faster).

Port scanning is easily detected by ISP's and I doubt very much that a
spam-zombie would do this.

Your comment about the reduction in spam because of IP changing is
certainly possible (as described in case b above).  I would love to
read more about the general details about how spammers and zombies
intereract with each other, and whether or not zombies really do have
to perform MX lookups themselves (and what do they do if there is no MX
record) or if the IP of the recipient's server is given to the zombie
by the spammer.

> I think having an MX record is a good idea.

So do I, but until I see evidence that some (or any) legit e-mail is
not making it to us, I will continue to leave our MX record
un-configured.  The payoff in a 75-80% reduction in spam is just too
useful to us as this point.  I can now forward e-mail from our sales
and support accounts to others within our organization vs having to
wade through the junk myself and pick out the good e-mails.

> I also think that yourdomain.foo should point to your web server. Why
> should people have to type www?

They don't have to.

Our ADSL modem/router is port-forwarding ports 25 and 80 to different
machines on our local network.  Our web site can be accessed with or
without the preceeding www.