>What I've started seeing recently is spammers using the A record to send >mail to instead of the MX record thereby bypassing the scanning process.
This is not new abuse, but ime it has increased seriously in the last couple months. and forget about DNS, the spammers scan port 25 on all IPs without bothering with DNS queries. if port 25 is listening, they send to it. > The >A record will be mail.domain.com and the MX will be imgate.ias.net. I can't >block the A record on the firewall since we use virtual IP addresses on the >imail server and all our domains on that server use the same IP address. > >I'm trying to come up with a way to use the inbound rules on imail to block >but I haven't been able to come up with a rule that works. forget about the rule for a hostname. Spammers SMTP connect to the IP of the mailboxserver. the only "rule" is to block access from internet to port 25 of the mailbox server 1. another approach is to have the mailbox server listen on port 587, so legit users submit their mail their ONLY with SMTP AUTH, and IMGate relays to port 587, but the mailbox whitelists IMGate IPs for non-AUTH submission. 2. pop-before-smtp into IMGate is another approach. 1. and 2. both require legit users to alter their mail user programs (maybe 2. can sneak by invisibly for the users, but it requires your DNS to be setup correctly) Len
