Re: [exim] spammers MXes

Marc Perkel wrote:
>
>
> Renaud Allard wrote:
>> Marc Perkel wrote:
>>
>>
>>> I have a blacklist and whitelist where you can match the host address.
>>>
>>> hoztname.hostkarma.junkemailfilter.com
>>>
>>> 127.0.0.1 = whitelist
>>> 127.0.0.2 = blacklist
>>>
>>>
>>>
>>
>> The sending IPs used by spammers have nothing in common with their
>> domain MXes. They just send from wathever IP they see fit. All they have
>> in common is an MX record for their domain listening at the same IP. So
>> having a blacklist who will be able to tell something like "all domains
>> that have their MXes pointing to this particular IP are spammer domains"
>> would be great.
>>
>
> I see what you mean about not having what you want. But what do you
> want? What is the logic you would use to detect spams? If the senders MX
> is vacant or matches a blacklist of host names?
>

I am trying to determine if a blacklist of IP of MXes (not containing
the IP sending the spam, but the IP of the MX) exists, and if it would
be useful to have such a blacklist.

It seems that some spammers are using newly bought domains with real MX
records. Those MXes seem to be only used by these spammers, maybe to
bypass callouts or maybe to bypass C/R systems.
In my example, there were many domain names used, all new, all having
different MXes, but all those MXes resolving to the same IP.

So the idea is: if someone sends me a mail from: user@???. I can
verify example.com MX which is mail.example.com which resolves to
1.2.3.4. And if 1.2.3.4 is in the blacklist, I could just deny the mail
because it is a known spammer MX IP.