--On 12 May 2006 09:29:18 +0100 Alun <auj@???> wrote:
> "Alan J. Flavell" <a.flavell@???> said, in message
> Pine.LNX.4.64.0605102105270.24674@???:
>>
>> [1] Incidentally, we had some clear evidence that spammers keep old
>> lists of MX lookups, instead of looking-up in real time - so it could
>> be beneficial to regularly change one's MX IPs, and letting them try
>> to offer the mail to last month's IP which has now gone away ;-)
>
> I've been meaning to do something like this for a while. The corollory
> would be, after moving the IP, to firewall the old IP and watch the
> firewall logs. Anyone hitting the old IP (after some reasonable grace
> period)
Is that grace period different from the DNS TTL?
> on port 25 is pretty much bound to be a spammer/zombie and
> can be added to a local blacklist.
>
> Out of interest, I knocked together that part of the code yesterday
> morning. It actually looks for ALL blocked port 25 probes against
> our site. The blacklist now holds 308 IP addresses that have tried to
> talk to our old MX IP's. The old IPs were removed from our MX record
> in September 2003!
>
> Another interesting finding is that 462 IP addresses have tried to
> talk to machines which are listed in the A record for aber.ac.uk.
> These have also been added to the blacklist, but I can't decide
> whether that's a good thing to do (is there ANY legitimate reason
> to hit the A record rather than the MX record?!).
>
> The blocklist now contains 1911 records, gathered in 23 hours. It's
> tempting to make it into some form of DNSBL actually...
>
> Cheers,
> Alun.
>
> p.s. Make that 1915 entries - 4 more appeared while I was proofreading
> this! --
> Alun Jones auj@???
> Systems Support, (01970) 62 2494
> Information Services,
> University of Wales, Aberystwyth
--
Ian Eiloart
IT Services, University of Sussex
