ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] host named "mail" that is not an MX

2005-06-02 17:16:58
from [Markus Stumpf] [Permanent Link] 
On Thu, Jun 02, 2005 at 12:42:35PM -0700, william(at)elan.net wrote:

First I heard of it, but it would sure explain some things as to why I
still receive on my mail server messages for old domains no longer there
that we're not even relaying for. I never kept any statistics though and 
don't think its significant (but maybe its just because those domains have 
always had less mail than active ones).


I've seen this on some of our central mailservers, too. IMHO this is
because of stale DNS entries in broken DNS caching software. But I have
always wondered why e.g. mail.space.net is spammed with mails for
@space.net even if it is not in the MX list. This is not because of stale
DNS entries (the MX has never been there).
IMHO spammers think that if a mail.example.com exists and accepts mails
(aka port 25 is connected) but is not the MX it may be a "shielded" weak
server and the official best MX runs antispam and antivirus software but the
hidden mailserver is an easy victim.

I have put a RRD image on the web that graphically shows what I am
talking about:
    http://www.space.net/~maex/nomx.png
The MX was changed around 9am on Tuesday and the domain configuration on
the mailserver was removed around the same time on Wednesday.
The reason for rejections upto that date were:
- HELO ip_of_destination
- HELO hostname_of_destination
- HELO domain RCPT TO @domain
- MAIL FROM @has_no_A_nor_MX
- virus infected message
the mailserver acted as part of a multi-hop gateway so there only
existed a catchall account.


But since you started this experiment, can you change mail server 
behavior for period of time to not drop the messages but to store all
of them in some archive file and then take a look at what is coming?
If possible consider giving some of us access to that as well?


I'll have to talk to the customer. Changing the behaviour involves more
traffic costs and a possible breach of trust and delivery for "legitimate"
mails still sent to the old address due to stale DNS records :/

But the "experiment" should be easy to reproduce. If there is a domain
that gets some spam and has mail.domain as MX and you have another
domain to work with, simply add a  mail.otherdomain with the same A
record as mail.domain, then change MX to mail.otherdomain and then
change the A record of mail.domain to some honeypot and see what
happens. I'll check some logfiles and see if I can setup a such a
honeypot with any of our/my other domains that receives enough spam to
make it at least slightly significant.

    \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: forged bounces, was [Asrg] A CAPTCHA that automatically detects and neutralizes attacks., Michael Kaplan
Next by Date:  Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks., Markus Stumpf
Previous by Thread:  Re: [Asrg] host named "mail" that is not an MX, william(at)elan.net
Next by Thread:  Re: [Asrg] host named "mail" that is not an MX, Justin Mason
Indexes:  [Date] [Thread] [Top] [All Lists]