Hi, Dan-
Is the IP of the POP server nowhere to be found in DNS? It seems to me that would be unlikely unless the end users are entering IP addresses into their mail client software - a very bad idea from a system management perspective.
It is a simple matter to port scan all addresses in a DNS record looking for a response on port 25.
Goran's suggestion should be the cure. Block port 25 at the client's firewall for all IPs except the store-and-forward server(s), then the only way for someone outside the system to deliver mail is through your store/forward server(s).
Matt's suggestion to change the IP of the POP server should also work unless you publish the IP somewhere in DNS, which you probably do as a convenience to the end users.
-d
----- Original Message ----- From: "Dan Geiser" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 18, 2004 10:31 AM
Subject: [Declude.JunkMail] Interesting Spamming Technique
Hello, All,
In addition to doing spam filtering for some of our IMail hosting customers
we also do Store and Forward filtering for a few domains. In the past day
or so I've had complaints from Store and Forward customers about an increase
in spam. When I check the headers of the e-mail they are sending to me I
don't see any indication that they e-mail was routed through us and NOT
picked up as spam. Instead it looks like the mail was delivered directly to
their e-mail servers and did the end around our Store and Forward. The
thing is I have no idea how the spammer even knew the direct IP addresses of
our customers because those don't show up anywhere in their DNS records.
Although I guess they could just be running port scans and checking for
responses on port 25 and attempting delivery of spam that way without using
DNS lookups. But part of the IMail Store and Forward documentation involves
locking down the SMTP server to only accept e-mail of the relaying IP
address. I'm 99% sure that we had the customers lock down their incoming
e-mail to only accept connections from us but I need to confirm that. In
the meantime has anyone noticed an increase in this direct delivery method
which basically ignores the current DNS system?
Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
