Dear all, I posted yesterday my findings on connection attempts by
spammers to a higher priority (what a misnomer) MX in preference to a
lower priority one. I said that it looked like spammer engines were
late in the reception of the new DNS records although the TTL was
very low. I was wrong, I had a forgotten ipfw rule dropping packets
to the new fake secondary...
My finding are thus: an hour (the TTL) after I added the fake MX I
had the first spammer hit (fortunately the firewall rule was logged).
In 24 hours I had 1500 attempts, in the same period I got about 1300
rejections to the primary (this does not include spam that is dropped
thanks to the SMTP delays introduced for low scoring emails). So it
looks like some spammers do indeed target the secondary even if the
primary is up (same network, same physical interface).
Note that the ipfw hit count might be inflated because of the drop
rule [a drop rule in ipfw causes the tcp connection to timeout].
Now I have removed the firewall rule and apparently some spammers
even after a 5XX rejection at the primary go on to try at the fake
secondary (where they get a temporary failure), this is just annoying
as it causes more log lines...
Now I wonder if adding more fake MXs on that same interface and
dropping them all at the firewall would not make a nice mud field for
some spammers...
Giuliano
--
H U M P H
|| |||
software
Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/
