Author: W B Hacker Date: To: exim users Subject: Re: [exim] open relay aftermath
Jim Cheetham wrote: > On 14/02/11 13:53, W B Hacker wrote:
>> Changing YOUR servers to new IP won't really make much difference. They'll find
>> anything with port 25 listening.
>
> Sure; all servers will eventually get probed, on an ongoing basis. If
> they are closed, no problem.
>
> However, if the IP in question has been associated with an open relay in
> the past you will find people pumping email into it regardless.
> Initially just the same servers that originally exploited the original
> open relay, but eventually some others. They do not seem to care that
> all their messages are being rejected.
See below...
>
> If you deny these known bad IP addresses a connection as early as
> possible, you will have a lot of network traffic, CPU time and logfile
> entries.
>
> -jim
>
You'll have a great deal MORE '...network traffic, CPU time and logfile
entries.' if you do NOT deny them as early as possible..
;-)
The traffic load for early denial is miniscule compared to - for example, taking
a message body onboard, running it through an AV *and* content scanner, THEN
rejecting...
We are on the same IP's for about 7 of the last 11 years now, and
early-rejection has markedly cut bogus arrival attempts.
It isn't so much that botnet's 'learn' or adapt.
It is that - being made up of stolen resources - they are somewhat ephemeral.
Even a WinBox can get a proper housecleaning, upgrade, or outright junk and
replace now and then.
Even a sloppy or careless ISP can wake up and start intercepting port 25 outbound.
So today's botnet 'players' are neither the same boxen, nor necessarily even the
same networks as last year's.
