I've had a sense recently that more spam than usual has been making its way through my mail server's filters, and I took the time tonight to figure out why. The result was interesting, a bit surprising, and in hindsight not altogether unexpected.
Like any decent run-of-the-mill mail admin nowadays, I run SpamAssassin as a primary line of defence against incoming junk. Casual spot checks of the headers on recent messages had revealed nothing out of the ordinary — all had spam scores assigned, and all fell below the configured threshold. Yet with messages so obviously spammy, and especially arriving in groups with unusual regularity, something was obviously amiss.
Looking more closely at the tests reported in the X-Spam-Status headers, one caught my eye: RCVD_IN_DNSWL_HI. Guessing that "WL" meant "whitelist", and confirming that this match was responsible for adding −5.0 to the spam score (thereby reducing it), I visited the DNSWL lookup page and manually checked every IP address in the Received headers of one piece of spam in order to determine which rogue relay was incorrectly reported as good.
To my surprise, none was listed. I checked those from a different message, and found the same. I verified these results by doing manual DNS lookups with the "host" command on my Mac. None of the servers that handled these messages was registered in this whitelist, yet SpamAssassin was repeatedly hitting a positive on the test. What was going on?
Naturally I turned to Google for some insight, and found an anecdotal account of how one guy solved a similar problem by changing his DNS resolver to something else, away from Google's public DNS service which he had been using. His problem went away, and messages were no longer being erroneously whitelisted.
For a few minutes I was pondering what Google's DNS servers could have to do with anything when I came across this article from the DNSWL folks that seemed like it might be vaguely related to my problem. The upshot is that due to a huge volume of DNS queries fielded from several particular organizations in violation of their terms of service, DNSWL has retaliated by replying with a "good" response for any and all whitelist queries from such sources.
It dawned on me that this was, in fact, my exact issue. I checked the resolv.conf on my mail server, and lo and behold, the culprit was the DNS server 184.108.40.206, one of Google's public DNS — that's where my machine has been looking for all of its name resolution.
Many months ago I had commented out my ISP's DNS in favour of the Google ones. I can't remember the specifics, but the brief comment I left in the file suggests there had been some intermittent problems with the "house" DNS (which for an SMTP server can cause havoc). So I swapped in the eights as a workaround, and everything had been buzzing along since.
I've now reverted to the local servers, which seem to be working fine, and I expect spam to return to the usual levels.
As a follow-up to my previous post, I've followed through and a Mac Pro is following along.
My decision to move now was spurred by a reminder last week about a temporary tax incentive (CCA class 52) the makes capital purchases of computer equipment eligible for a 100% write-off – but only if purchased before the end of January 2011 (that's today).
So I ordered one last night from the Apple online store – a refurbished model, actually. Though this will be my first experience with an Apple refurb, the option was a no-brainer: selection is good, prices are generally hundreds of dollars less than nominal, and products carry a full warranty and are eligible for AppleCare.
The machine is a 2.8 GHz quad-core "Nehalem" Xeon with ATI Radeon 5770 (1GB) graphics, plus the usual array of bells and whistles. I'm looking forward to kicking it in speedy style with the latest Xcode and iOS toolchain, and Aperture on the 27" display.
This afternoon I ordered a Dell UltraSharp U2711 27" display, an investment I've been contemplating for awhile.
At my office, where I mostly do software development but also occasional photographic and video editing, I've been working for several years on a Power Mac G5 tower with a pair of 20" Apple Cinema Displays. This setup has been great, but is also getting long in the tooth.
The computer itself chugs painfully with Aperture, and the lack of Intel processor is becoming an increasing barrier to productivity; developing for iPhone (and now the Mac App Store) on my 15" Mac Book Pro is arduous at best.
As for the displays, their backlights are starting to slightly fade and I can no longer match the white balance on both displays even after profiling. And a bigger screen will make a new computer seem even faster, right?
By my research the U2711 seems to have earned a consistently good reputation, sporting a fantastic colour-accurate matte panel, decent mechanical adjustments, and more input types than one could ever need.
While replacing the computer is of greater urgency, today's one-day price on this monitor — $749, down from $1249 — was the most affordable I've yet seen, so I decided the opportunity should be taken. Surely a new Mac Pro will follow, eventually.
After about nine years, I finally gave in and purchased and installed a proper third-party-signed SSL cert for secure.zygoat.ca. What this means is that no longer will customers have to click through warning dialogs when you log in to SquirrelMail or PhpMyAdmin. Rejoice!