A customer of ours has a managed mailserver mail.example.com
that has been also MX for example.com. The customer restructured
and changed the MX for example.com to mail.someother.example.com.
mail.example.com still exists but doesn't accept any more mail and is
only used as an outgoing relay (customer uses submission, port 587).
Our watchdogs and stats show a very interesting phenomenon:
As soon as the MX was around in DNS and after the TTL of the old MX
records had expired from the caches mail.example.com started to get
attacked *heavily*. The domain had its attacks before and the usual
level of spam. The number of incoming messages per 5 minutes was around
50-100 but after the MX to mail.example.com expired from the caches
the number of incoming messages per 5 minutes raised to around 200.
They are all rejected with perm errors. I have also checked the logfiles
and I can find any evidence that it is some DNS cache problem. Most if
not all connections come from dialin space and hammer on the server.
There are even peaks of 800 incoming messages (more exactly RCPT TOs)
per second.
IMHO the spammers find it attractive to have found a potentially weak
point so it is their primary attack spot.
Anyone else seen this?
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg