I wrote on Jan. 3 that you can close off a "back door" that many companies leave wide open on their mail servers. There are some other tricks that antispammers would like you to know about, too.
These methods can be useful to you if your company manages its own mail server -- or if you know someone whose company runs its own mail server.
Protecting Your Resources, Wherever They Are
For example, a company might have one primary mail server and a second, older one. The older server is supposed to accept mail only if the primary server is out of service, for whatever reason. A company in this situation publishes a secondary MX record for the older server. This gives the slower machine a lower priority, causing any legitimate sending servers to ignore it unless the primary server is unavailable.
The problem is that spammers disregard your desire that all e-mail should ordinarily be delivered to the primary server. If spammers can find a secondary server's name or IP address, they'll send the spam there.
"That's one of the oldest spammer tricks," says John Reid, a volunteer with Spamhaus.org. "It's been called 'sneaking in the unlocked back door.' " Spamhaus is a respected antispam group, which maintains several lists of spammers and the IP addresses from which they're currently spewing forth their junk mail.
If you don't have a secondary mail server, you should take the steps I explained on Jan. 3 to close the back doors that spammers can use to access your primary server. If your company does have a secondary mail server, you may need a few additional tweaks.
Tricking Spam Senders Into Using Your Front Door
As Reid describes it, spammers have programmed their software to automatically deliver junk to whichever mail server has the lowest priority in a company's DNS records.
That's the opposite of what mail servers on the Internet are supposed to do. But it works because companies sometimes employ less antispam filtering on their secondary than on their primary mail servers.
Enterprise-level antispam appliances, for example, can easily cost thousands or tens of thousands of dollars. If a company wishes to pay for only one such appliance, odds are that it's going to be installed on the primary server, not on a secondary machine.
Another scenario in which a secondary mail server can get less antispam protection than the primary server is when a company outsources its backup mail server. The outsourcing company may not employ spam filtering that's as strict as the measures that protect the primary server.
In these cases, Reid says, you can trick spam servers into focusing on your primary mail server, where your antispam defenses will stop the spam cold.
A Little Line of DNS Code
Let's say that your primary mail server is named mail1.example.com and your secondary is named mail2.example.com. The primary mail server might get a priority of 10 in your MX records, while your secondary gets a priority of 20. Legitimate senders will always send to your primary mail server first, because 10 represents a higher priority than 20. But spammers like to hit what Reid calls "a weak secondary," so they'll target your backup mail server, where they're more likely to get their messages through.
To prevent this, Reid explains, you create a third MX record. This one duplicates your primary mail server but gives it an even lower priority, such as 99. This would look as follows in your company's DNS records:
mail.example.com MX 10 mail1.example.com
mail.example.com MX 20 mail2.example.com
mail.example.com MX 99 mail1.example.com
As you can see, your mail1 server is named twice, once with the highest priority among your mail servers and again with the lowest priority. Spammer software doesn't notice that the two servers have the same name -- and, therefore, are the same machine -- so the spam is merrily directed to priority 99, which is precisely the server that has your best antispam defenses.
Ideally, of course, your company would pony up for the strongest antispam measures on every machine you have. In the real word, Reid says, companies often want to have a backup server but aren't willing to pay to duplicate all the antispam hardware and software that should be devoted to it.
If that's the case in your company, adding the line shown above to your DNS records doesn't cost you a thing -- and it just might eliminate a lot of the spam that you've been suffering with for months or years.