Hey, Goran,
That is what we ended up doing for this customer. They can't receive any port 25 traffic from any IP addresses except ours now. I just had never seen evidence of spammers caching IP addresses before.


I was thinking though that scanning ranges of IP addresses for responses on port 25 and then sending e-mail either from or to <user>@domain.tld, where domain.tld is the second-level domain found when you do a lookup on the Reverse DNS for any IP addresses found to be responding on port 25, might be a good way for spammers to get their messages through.

Thanks, Much!
Dan Geiser
[EMAIL PROTECTED]

----- Original Message ----- From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 18, 2004 1:49 PM
Subject: RE: [Declude.JunkMail] Interesting Spamming Technique



Hi Dan,

What we do for out store and forward customers is to lock down their
firewall to only accept port 25 traffic from our IPs. Instant end to the
end-around problem.

I moved a MX record about a week ago for a domain and I am still seeing
about 1000 messages per day still hitting the old IP address and 98% of
them are WEIGHT10 +




Goran Jovanovic The LAN Shoppe



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Thursday, November 18, 2004 10:32 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Interesting Spamming Technique

Hello, All,
In addition to doing spam filtering for some of our IMail hosting
customers
we also do Store and Forward filtering for a few domains.  In the past
day
or so I've had complaints from Store and Forward customers about an
increase
in spam.  When I check the headers of the e-mail they are sending to
me I
don't see any indication that they e-mail was routed through us and
NOT
picked up as spam. Instead it looks like the mail was delivered
directly
to
their e-mail servers and did the end around our Store and Forward.
The
thing is I have no idea how the spammer even knew the direct IP
addresses
of
our customers because those don't show up anywhere in their DNS
records.
Although I guess they could just be running port scans and checking
for
responses on port 25 and attempting delivery of spam that way without
using
DNS lookups.  But part of the IMail Store and Forward documentation
involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their
incoming
e-mail to only accept connections from us but I need to confirm that.
In
the meantime has anyone noticed an increase in this direct delivery
method
which basically ignores the current DNS system?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]



-----------------------------------------------------------------------
Sign up for virus-free and spam-free e-mail with Nexus Technology
Group
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
-----------------------------------------------------------------------
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan



-----------------------------------------------------------------------
Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to