--On 12 May 2006 09:29:18 +0100 Alun <[EMAIL PROTECTED]> wrote:
> "Alan J. Flavell" <[EMAIL PROTECTED]> said, in message > [EMAIL PROTECTED]: >> >> [1] Incidentally, we had some clear evidence that spammers keep old >> lists of MX lookups, instead of looking-up in real time - so it could >> be beneficial to regularly change one's MX IPs, and letting them try >> to offer the mail to last month's IP which has now gone away ;-) > > I've been meaning to do something like this for a while. The corollory > would be, after moving the IP, to firewall the old IP and watch the > firewall logs. Anyone hitting the old IP (after some reasonable grace > period) Is that grace period different from the DNS TTL? > on port 25 is pretty much bound to be a spammer/zombie and > can be added to a local blacklist. > > Out of interest, I knocked together that part of the code yesterday > morning. It actually looks for ALL blocked port 25 probes against > our site. The blacklist now holds 308 IP addresses that have tried to > talk to our old MX IP's. The old IPs were removed from our MX record > in September 2003! > > Another interesting finding is that 462 IP addresses have tried to > talk to machines which are listed in the A record for aber.ac.uk. > These have also been added to the blacklist, but I can't decide > whether that's a good thing to do (is there ANY legitimate reason > to hit the A record rather than the MX record?!). > > The blocklist now contains 1911 records, gathered in 23 hours. It's > tempting to make it into some form of DNSBL actually... > > Cheers, > Alun. > > p.s. Make that 1915 entries - 4 more appeared while I was proofreading > this! -- > Alun Jones [EMAIL PROTECTED] > Systems Support, (01970) 62 2494 > Information Services, > University of Wales, Aberystwyth -- Ian Eiloart IT Services, University of Sussex -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
