----- Original Message -----
From: "Marc Perkel" <marc@???>
To: <exim-users@???>
Sent: Wednesday, August 29, 2007 6:23 PM
Subject: [exim] An interesting observation about spam zombies
> As some of you know I get rid of a lot of spam using fake high numbered
> MX records. I'm now doing some interesting experiments. Even though my
> TTL is only 2 hours I notice that if I change my fake high MX to
> different fake high MX that the spam zombies still send email to the old
> fake MX records for many days, sometimes weeks.
Try Years !!!
This has been the case for a long time now. I still get hit by zombies
trying to deliver to domains that ceased to be hosted by me altogether about
3 years ago.
>
> My theort is that spam zombies do DNS caching so as to maximize spam
> output by eliminating dns lookups. Thus zombies retain old information
> far longer than they are supposed to.
I have a feeling that when a zombie is given a mailing list, they are given
the ip to deliver to at the same time (possibly to avoid setting alarm bells
ringing at the ISP's dns servers). Seeing as spammers aren't worried about
list washing, I doubt they are worried about a few wrong IP's either. I
think the only way we will see any change in this behaviour is when LARGE
isp's start moving their MX's regularly, which will in turn force spammers
to do lookups more regularly - and the chances of ISP's doing that has got
to be bordering on zero.
>
> So I'm experimenting with a blaclisting trick where I change my fake
> high MX records, wait several hours, and then anything that hits the old
> fake MX records are spam zombies.
You would need to wait at LEAST 2 days (preferably nearer to a week and
maybe even longer) to avoid FP's.
All the best
Phil
_____________________________________________
Website Hosting from only £5.00 per month.
www.medwayhosting.com - +44 (0)1634 856965
_____________________________________________
Digital & Traditional Printing, and much more
www.medwayprint.com - +44 (0)1634 281199
_____________________________________________
