Autor: Alan J. Flavell Fecha: A: Exim users list Asunto: Re: [exim] Am I an open relay or aren't I?
On Fri, 12 May 2006, Alun wrote:
> "Alan J. Flavell" <a.flavell@???> said, in message
> Pine.LNX.4.64.0605102105270.24674@???:
> >
> > [1] Incidentally, we had some clear evidence that spammers keep
> > old lists of MX lookups, instead of looking-up in real time - so
> > it could be beneficial to regularly change one's MX IPs, and
> > letting them try to offer the mail to last month's IP which has
> > now gone away ;-)
>
> I've been meaning to do something like this for a while. The
> corollory would be, after moving the IP, to firewall the old IP and
> watch the firewall logs.
OK, I wasn't sure if my throwaway remark above would raise any
interest, but, as it has (thanks for reporting the results of your
experiment!), maybe I could add just a bit of detail.
There are two particular scenarios which I have seen. I'll use
obfuscated names, since the details of the real ones aren't of any
significance here.
1. old host-based addresses
In ancient history, we recognised host-based address domains
like host5.dom.example
Then, in less-ancient history we moved their mail service to a
collective mail server by means of MX records, with host5.dom.example
pointing to mail.domain.example
(These were not only different domains, but even different IP
network numbers.)
Of course, in the fullness of time, we removed the MX records for
those old hosts, and reconfigured the mailer to reject the old
addresses.
Nevertheless, spammers were continuing to offer to our mailer,
mail intended for the old host-based domains.
The only possible hypothesis must be that they were using obsolete MX
records which had been harvested long ago.
2. New mail server
Fairly recently, a new mail server was worked-up, let's call it
newmail.domain.example, and the MX records for our currently-supported
mail domains were pointed to it. In due course, after a bit of
parallel working, the old MX records pointing to the old server
mail.domain.example were removed.
After a while, the old mailer mail.domain.example was firewalled.
Nevertheless, weeks afterwards, SMTP transactions were still being
attempted to it.
So, that's one example of long-term stale MX records, and another
example of relatively short-term - but still inappropriate - stale MX
records.
I can't say anything really about spammers attempting A records for
hosts, because our campus border router blocks incoming port 25 for
anything which isn't registered as a bona fide mail server. So we'd
never get to see the spammers attempting SMTP transactions to our
other hosts.
I *suppose* the campus network folks could organise some kind of
blacklisting based on firewall logs, but that's way outside of my own
orbit, so I'll leave that to Chris and f(r)iends ;-)