"Alan J. Flavell" <a.flavell@???> said, in message
Pine.LNX.4.64.0605102105270.24674@???:
>
> [1] Incidentally, we had some clear evidence that spammers keep old
> lists of MX lookups, instead of looking-up in real time - so it could
> be beneficial to regularly change one's MX IPs, and letting them try
> to offer the mail to last month's IP which has now gone away ;-)
I've been meaning to do something like this for a while. The corollory
would be, after moving the IP, to firewall the old IP and watch the
firewall logs. Anyone hitting the old IP (after some reasonable grace
period) on port 25 is pretty much bound to be a spammer/zombie and
can be added to a local blacklist.
Out of interest, I knocked together that part of the code yesterday
morning. It actually looks for ALL blocked port 25 probes against
our site. The blacklist now holds 308 IP addresses that have tried to
talk to our old MX IP's. The old IPs were removed from our MX record
in September 2003!
Another interesting finding is that 462 IP addresses have tried to
talk to machines which are listed in the A record for aber.ac.uk.
These have also been added to the blacklist, but I can't decide
whether that's a good thing to do (is there ANY legitimate reason
to hit the A record rather than the MX record?!).
The blocklist now contains 1911 records, gathered in 23 hours. It's
tempting to make it into some form of DNSBL actually...
Cheers,
Alun.
p.s. Make that 1915 entries - 4 more appeared while I was proofreading this!
--
Alun Jones auj@???
Systems Support, (01970) 62 2494
Information Services,
University of Wales, Aberystwyth
