ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] host named "mail" that is not an MX

2005-06-02 12:42:46
from [william(at)elan.net] [Permanent Link] 

On Thu, 2 Jun 2005, Markus Stumpf wrote:


A customer of ours has a managed mailserver mail.example.com
that has been also MX for example.com. The customer restructured
and changed the MX for example.com to mail.someother.example.com.
mail.example.com still exists but doesn't accept any more mail and is
only used as an outgoing relay (customer uses submission, port 587).

Our watchdogs and stats show a very interesting phenomenon:
As soon as the MX was around in DNS and after the TTL of the old MX
records had expired from the caches mail.example.com started to get
attacked *heavily*. The domain had its attacks before and the usual
level of spam. The number of incoming messages per 5 minutes was around
50-100 but after the MX to mail.example.com expired from the caches
the number of incoming messages per 5 minutes raised to around 200.
They are all rejected with perm errors. I have also checked the logfiles
and I can find any evidence that it is some DNS cache problem. Most if
not all connections come from dialin space and hammer on the server.
There are even peaks of 800 incoming messages (more exactly RCPT TOs)
per second.

IMHO the spammers find it attractive to have found a potentially weak
point so it is their primary attack spot.

Anyone else seen this?


First I heard of it, but it would sure explain some things as to why I
still receive on my mail server messages for old domains no longer there
that we're not even relaying for. I never kept any statistics though and don't think its significant (but maybe its just because those domains have always had less mail than active ones).
But since you started this experiment, can you change mail server behavior for period of time to not drop the messages but to store all 
of them in some archive file and then take a look at what is coming?
If possible consider giving some of us access to that as well?
(strictly for research purposes, possibly it can be identified what
 spammer software or particular spammer is doing this and it can be
 useful to stopping them in the future)

P.S. This also gives an interesting anti-spam option to check, i.e. purposely
change MX to another name/ip and set old server to run daemon that accepts mail but really sends it all to /dev/null. Spammer who is using the trick with old mail system name thinks his emails are all still being accepted 
and does not bother the new MX and the result is less spam :)

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] host named "mail" that is not an MX, Markus Stumpf
Next by Date:  Re: [Asrg] [OT?] CIS Systems wins $1.08 billion in case against spammers, Barry Shein
Previous by Thread:  [Asrg] host named "mail" that is not an MX, Markus Stumpf
Next by Thread:  Re: [Asrg] host named "mail" that is not an MX, Markus Stumpf
Indexes:  [Date] [Thread] [Top] [All Lists]