James Lick <jlick(_at_)drivel(_dot_)com> wrote:
It looks at the hostname of the proxy, e.g. adsl-63-29.someisp.com,
looks up the MX for someisp.com and sends through that. This has a few
problems in that the domain of the ISP's clients and the domain of their
e-mail infrastructure could be different. Also MX is for incoming
email, not necessarily outgoing email. An ISP which blocked their
client systems from sending out through the incoming MX could defeat
this until the software gets smarter.
We observed this attack in September. I'm not sure if the machine being
used by the spammers was a zombie or an open SOCKS proxy - I think the
latter, based on information from an external blacklist and based on
our fairly effective anti-virus protection. Fortunately earlier last
year I had split our MX and our smarthost so I could lock down the MX
properly. I very much recommend that others do so too.
The next pro-active defence is to add some kind of rate limiting...
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
SHETLAND ISLES: SOUTHWEST 6 OR 7, OCCASIONALLY GALE 8 AT FIRST, VEERING WEST 4
OR 5, OCCASIONALLY 6 IN NORTH WEATHER: RAIN CLEARING TO OCCASIONAL SHOWERS
VISIBILITY: MODERATE BECOMING MAINLY GOOD. ROUGH BECOMING VERY ROUGH IN WEST
AND NORTH
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg