Journal: SMTP & DNS mods to control SPAM

Random thoughts for anyone's comments.

1. Add a new DNS record "RX" that lists valid SMPT relays for that domain.
2. Mod SMPT to attach 2 flags to all mail (trusted/untrusted and normal/bulk)
3. Mod SMPT configs with 6 flags (trusted threshold, trusted interval, untrusted threshold, untrusted interval, trusted degrade delay, untrusted degrade delay)
4. Pay attention to new "Bulk Email" header record

• If source IP is in your 'degrade' cache, and 'delay interval' has not been reached, do not acknowledge this email (do not respond to HELO)
• If a mail entry is coming from 'inside' your domain, it is flagged as 'trusted'.
• If mail is coming from an outside domain, but from a valid "RX", then flag it as 'trusted'.
• For determination, must use real IP, not IP in header.
• All other email is flagged as untrusted.
• Add IP and timestamp to 'trusted-activity' or 'untrusted-activity' cache. Remove entries from cache that are older than appropriate interval.
• If 'Bulk email' record exists in this record, then follow local 'Bulk email' rules.
• If the number of entries for this IP exceeds the appropriate threshold, add the IP and timestamp to the 'degrade' cache, and add a 'Bulk email' record to the header.(if not already there)

The intent here is for all email to be delivered, just that some email delivery will be slowed down to the point that bulk SPAM is not justifiable. I'm not sure if email flagged as 'Bulk' should sail through and let local readers filter that out (if they desire), or if they should be degraded as well (when thresholds exceeded).

By picking sane threshold/interval values for the number of users your server supports, normal mail should sail through, but only the first few SPAM records will go undetected.

Spammers will set up valid domains with valid RX records to try to get into the 'trusted' rules, but once detected, these IP's could easily be added to your preloaded degraded cache as permanent entries.

May need another threshold/interval of non activity to take non-permanent degraded IP's off the degrade list, thus auto compensating for 'oops I got breached, but I fixed it' servers.

By adding the RX DNS entries, and bulk records, each mail server can implement rules as they see fit. Sites that do not make use of any of this still go through, they just go through with untrusted rules, and thus make it easier to get into the 'degrade' list for slower delivery.

If IP's remained on the degrade list long enough (one or 2 weeks) and the degraded rate was slow enough (1 email every 15 minutes) it would slow down the spam rate to make it not cost justifiable, it would automate everything (administrators would have to keep on top of thresholds/intervals, and possibly manually add/subtract entries in degrade list to compensate for unexpected conditions) and it would allow legitamate email to flow (sometimes at a slower rate if they break the rules).

By allowing email marked as 'Bulk' to NOT count towards thresholds, massive legitimate mail lists can still be sent, but end user reader rules would be much easier to maintain (Block all Bulk email, unless it is from my subscribed lists)

Just some thoughts in case anyone is interested.