[Apologies for missing References headers; I've just subscribed and I'm
replying to a message seen on the web archive]
Another interesting data point:
I've been large numbers of HELOs from netzero.com, but with a twist.
We are seeing them to one particular domain which has long been the
subject of brute-force spamming (ie lots of attempts to mail
non-existent local parts) but we are seeing these not only on the two
listed MXes for the domain, but also on the machine that *used* to be
the MX for the domain (the MX record's target changed IP address months
ago). I can't believe that this is broken DNS caching but rather am
guessing that the zombied hosts sending these mails out have something
hardcoded for some bizzare reason.
There's absolutely nothing in the DNS for this domain that would suggest
trying this host, MX, A, or otherwise.
Or is there another explanation that anyone can think of?
Cheers,
Dominic.
--
Dominic Hargreaves |
http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)