On Fri, 12 May 2006, Alun wrote: > "Alan J. Flavell" <[EMAIL PROTECTED]> said, in message > [EMAIL PROTECTED]: > > > > [1] Incidentally, we had some clear evidence that spammers keep > > old lists of MX lookups, instead of looking-up in real time - so > > it could be beneficial to regularly change one's MX IPs, and > > letting them try to offer the mail to last month's IP which has > > now gone away ;-) > > I've been meaning to do something like this for a while. The > corollory would be, after moving the IP, to firewall the old IP and > watch the firewall logs.
OK, I wasn't sure if my throwaway remark above would raise any interest, but, as it has (thanks for reporting the results of your experiment!), maybe I could add just a bit of detail. There are two particular scenarios which I have seen. I'll use obfuscated names, since the details of the real ones aren't of any significance here. 1. old host-based addresses In ancient history, we recognised host-based address domains like host5.dom.example Then, in less-ancient history we moved their mail service to a collective mail server by means of MX records, with host5.dom.example pointing to mail.domain.example (These were not only different domains, but even different IP network numbers.) Of course, in the fullness of time, we removed the MX records for those old hosts, and reconfigured the mailer to reject the old addresses. Nevertheless, spammers were continuing to offer to our mailer, mail intended for the old host-based domains. The only possible hypothesis must be that they were using obsolete MX records which had been harvested long ago. 2. New mail server Fairly recently, a new mail server was worked-up, let's call it newmail.domain.example, and the MX records for our currently-supported mail domains were pointed to it. In due course, after a bit of parallel working, the old MX records pointing to the old server mail.domain.example were removed. After a while, the old mailer mail.domain.example was firewalled. Nevertheless, weeks afterwards, SMTP transactions were still being attempted to it. So, that's one example of long-term stale MX records, and another example of relatively short-term - but still inappropriate - stale MX records. I can't say anything really about spammers attempting A records for hosts, because our campus border router blocks incoming port 25 for anything which isn't registered as a bona fide mail server. So we'd never get to see the spammers attempting SMTP transactions to our other hosts. I *suppose* the campus network folks could organise some kind of blacklisting based on firewall logs, but that's way outside of my own orbit, so I'll leave that to Chris and f(r)iends ;-) Hope that's vaguely useful. -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
