This is definitely stuff going to harvested (real) addresses with full spam content. I've seen the full headers as well.
I've seen the relay testing from spammers before, in fact the same turd brought down two different clients of mine in the space of one week, both running GroupWise 5.5, one secure, the other not, but the spammer didn't care and proceeded to hammer them at 3 messages a second non-stop. The guy didn't even bother to verify if the first server would relay or not, he just took the fact that it accepted the E-mail and then stuck some zombie on it. I see the same turd hit my server a few times a week. This is the same guy that is responsible for the majority of the Joe-Jobs using my customers' domains. He performs dictionary attacks on asian sites.
Right now I am not certain enough about the guessing being reality for me to tell anyone to jump through hoops on a whim. With the current open situation I know a way around it, but sooner or later I will find a customer that makes use of SMTP AUTH and can't be firewalled or resolved with a filter following the connection. I am though strongly suggesting that everyone not name their servers mail.domain.tld or smtp.domain.tld, and that they use something unique in the name so that it can't be guessed.
Although this might not be possible, I'm looking for conclusive proof of this, and if none is available, as much anecdotal stuff as possible :)
Thanks,
Matt
Colbeck, Andrew wrote:
For what it's worth, I haven't seen anything in the security literature about spammers operating that way.
Any chance that the affected organizations had, at some time, addresses of the form:
[EMAIL PROTECTED]
which isn't uncommon? I've seen at least one private company that advertised their addresses as [EMAIL PROTECTED] but their reply-to: was [EMAIL PROTECTED] so they received spam at both.
Anecdotally, I can also relate that I've seen torrents of smtp traffic aimed at a dynamic IP; I presumed that the previous owner had an open mail relay there.
Andrew 8)
-----Original Message-----
From: Matt [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 6:12 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Spammers bypassing gateways?
I've been wondering about the possibility and I think that I'm seeing proof of this now. With gateway spam blocking services becoming more common, are spammers (zombie-types) now starting to attempt direct connections to mail.domain.tld instead of relying on MX records?
I've been advising new clients to avoid standard names such as mail and smtp for their mail servers due to the possibility of this happening. Twice now I have done switches though with servers named mail.domain.tld that continued to be spammed directly for weeks after the MX changed took place. The only other possibility that I can think of is that some spamware is caching the IP's or MX records.
Has anyone else seen this?
Thanks,
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
