Re: [exim] netzero forgeries?

Dominic Hargreaves wrote:

> [Apologies for missing References headers; I've just subscribed and I'm
> replying to a message seen on the web archive]
>
> Another interesting data point:
>
> I've been large numbers of HELOs from netzero.com, but with a twist.
>
> We are seeing them to one particular domain which has long been the
> subject of brute-force spamming (ie lots of attempts to mail
> non-existent local parts) but we are seeing these not only on the two
> listed MXes for the domain, but also on the machine that *used* to be
> the MX for the domain (the MX record's target changed IP address months
> ago). I can't believe that this is broken DNS caching but rather am
> guessing that the zombied hosts sending these mails out have something
> hardcoded for some bizzare reason.
>
> There's absolutely nothing in the DNS for this domain that would suggest
> trying this host, MX, A, or otherwise.
>
> Or is there another explanation that anyone can think of?
>
> Cheers,
>
> Dominic.
>

Not at all unusual.

Some of it may be the result of the convicted felons (in 3 US
states, anyway) at VeriSign/NetSol abusing / selling their
registration DB to, and/or it being independently harvested by,
spammers, as the listed ADMIN and DNS user ID's usually show up
along with munged or 'spoonerized' versions and generalized
dictionary attacks.

In the logs, anyway.. ;-)

Rationale:

We get the above sort of attacks on .com, .net, and .org
<domain>.<tld> that were:

- last active / in a valid DNS 2, 3, 4 and more years ago

- *never* in a valid DNS entry, merely registered with NetSol.

And:

We have not had that problem with .ch, .li, or - least of all /
never - with .to and .sc tlds.

YMMV, but your .li domain itself should be 'not on the radar' of
the zomBastards.

They are looking for the most gullible, i.e. WinUsers in the US.

The rest of the world is a bit more discerning less trusting -
about most things in life.

Bill Hacker