Another client that didn't have a firewall didn't have this problem, and their server was named mailgw.domain.tld. That suggests that caching wasn't the issue, though they mostly got spam from static sources and not zombies so it's not conclusive. Unless I'm mistaken, zombies seem to be the offenders here.
I prefer to tell my clients that the switch is as easy as an MX change, but now it might be necessary to tell them to change their server name and possibly reconfigure their mail clients for the new SMTP server name in some cases.
Caching something for 3 months just seems like it's way beyond useful, and when they are spamming from a zombie, one would think they would be using the ISP's DNS servers for lookups, though I don't know how exactly spamware operates. It may get distributed with a database containing both E-mail and mail server addresses, though that doesn't seem to make a lot of sense either.
Matt
Kornitz, David wrote:
Matt,
I've seen the same problem and the suggestion we have made to our customers is to reconfigure their firewall (or proxy server/smtp server), such that they only accept SMTP traffic from our mail servers. This does not stop spam initially, but over a period of time, the traffic does slow down.
It is my belief that some services are caching the MX (or A) records beyond the specified period. I know at one of the sites I visit on a regular basis, that we made a change 3 months ago and we are still seeing attempts made to send mail directly to the mail server.
David
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Tuesday, March 23, 2004 8:12 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spammers bypassing gateways?
I've been wondering about the possibility and I think that I'm seeing proof of this now. With gateway spam blocking services becoming more common, are spammers (zombie-types) now starting to attempt direct connections to mail.domain.tld instead of relying on MX records?
I've been advising new clients to avoid standard names such as mail and smtp for their mail servers due to the possibility of this happening. Twice now I have done switches though with servers named mail.domain.tld that continued to be spammed directly for weeks after the MX changed took place. The only other possibility that I can think of is that some spamware is caching the IP's or MX records.
Has anyone else seen this?
Thanks,
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
