Renaud Allard wrote:
> Hello,
>
> I just noticed a tidal wave of mails coming from sales@$randomdomain.tld on a
> couple of mailrelays I manage.
>
> All these mails are obviously spam messages. But they seem to have something in
> common besides the sales@. They either have no MX record, which is great because
> callouts just detect these spams. Or they all have MX pointing to
> mail.$randomdomain.tld which point to the same IP.
>
> Here are a few samples.
> # nslookup
> Name: mail.ruedesabbeysses.com
> Address: 72.232.95.68
> Name: mail.randyschuckman.com
> Address: 72.232.95.68
> Name: mail.promosinternational.com
> Address: 72.232.95.68
> Name: mail.primerentalstore.com
> Address: 72.232.95.68
> Name: mail.prcfoods.com
> Address: 72.232.95.68
>
> So it would be almost trivial to block these spams with a dnsdb ACL call to the
> MX. But there should be a "blacklist" to match the addresses. Does anybody know
> of such a blacklist or is it a great opportunity to create one?
>
> Also what are your opinions about this kind of filtering?
I have been looking at these too. They've been around for about 4 months
and can just as easily be spotted for their crap whois records
whois promosinternational.com
Name Server: DNS1.NAME-SERVICES.COM
Creation Date: 14-oct-2007
william bromage (wbromage@???) (always @gmail)
These emails never get past the greylisting/host sanity however I've
been thinking about taking all their information and adding to a
database which dumps into karmasphere. I just have a few other things on
my todo pile before I get to that.
The domains are already listed in the Day Old Bread dns list .. most of
the time.
--
The Exim Manual
http://www.exim.org/docs.html
http://www.exim.org/exim-html-current/doc/html/spec_html/index.html
