Author: Marc Perkel Date: To: Phil (Medway Hosting) CC: Exim Users List Subject: Re: [exim] An interesting observation about spam zombies
Phil (Medway Hosting) wrote: > ----- Original Message -----
> From: "Marc Perkel" <marc@???>
> To: <exim-users@???>
> Sent: Wednesday, August 29, 2007 6:23 PM
> Subject: [exim] An interesting observation about spam zombies
>
>
>
>> As some of you know I get rid of a lot of spam using fake high numbered
>> MX records. I'm now doing some interesting experiments. Even though my
>> TTL is only 2 hours I notice that if I change my fake high MX to
>> different fake high MX that the spam zombies still send email to the old
>> fake MX records for many days, sometimes weeks.
>>
>
> Try Years !!!
>
> This has been the case for a long time now. I still get hit by zombies
> trying to deliver to domains that ceased to be hosted by me altogether about
> 3 years ago.
>
>
>> My theort is that spam zombies do DNS caching so as to maximize spam
>> output by eliminating dns lookups. Thus zombies retain old information
>> far longer than they are supposed to.
>>
>
> I have a feeling that when a zombie is given a mailing list, they are given
> the ip to deliver to at the same time (possibly to avoid setting alarm bells
> ringing at the ISP's dns servers). Seeing as spammers aren't worried about
> list washing, I doubt they are worried about a few wrong IP's either. I
> think the only way we will see any change in this behaviour is when LARGE
> isp's start moving their MX's regularly, which will in turn force spammers
> to do lookups more regularly - and the chances of ISP's doing that has got
> to be bordering on zero.
>
>
>> So I'm experimenting with a blaclisting trick where I change my fake
>> high MX records, wait several hours, and then anything that hits the old
>> fake MX records are spam zombies.
>>
>
> You would need to wait at LEAST 2 days (preferably nearer to a week and
> maybe even longer) to avoid FP's.
>
> All the best
>
> Phil
>
>
>
Keep in mind Phil that these are fake high numbers MX records that
normal server never access even if they are correct. So if you add in
the expired fake MX factor then it starts getting pretty safe.