Not quite either.
The spammer is using their own domain (which I will call badspammer.com). The
MX records for badspammer.com point to either my mail server's IP or localhost
(127.0.0.1).
Badspammer.com then uses a dictionary to send out a massive email blast to one
of my domains. Qmail happily accepts the mail, puts them in its queue to try
and do a local delivery. Most of these bounce and qmail attempts to send out a
bounce notice to the sender. It looks up the MX record for badspammer.com and
finds 127.0.0.1. So qmail connects to 127.0.0.1 and attempts to deliver itself
the mail. This of course causes more bounces and winds up in postmaster's mailbox.
So it's a valid domain and it technically has valid MX records. But the MX
record data itself is not.
-dr
Quoting Chris Wilkes <[EMAIL PROTECTED]>:
> On Thu, Aug 28, 2003 at 03:36:09PM -0400, Daniel Reich wrote:
> >
> > Is it possible to reject a mail sender based on the value of the MX
> > records set? Not simply whether they exist. The reason is I am
> > noticing some spammers publishing my server as their MX record or a
> > 127 address.
>
> Do you mean that a spammer is sending out an email with your domain
> ('example.com') listed in the from, ie '[EMAIL PROTECTED]'?
>
> Or do you mean that the spammer has a 'legitmate' From address
> ('spamdomain.com') whose MX records list example.com as its mail server?
>
> If its the 2nd then you don't have much to worry about: qmail will
> reject them as it isn't in your locals/rcpthosts file.
>
> If its the first then that's called a "joe job" and you can look at the
> qmail mailing list for some ideas:
> http://marc.theaimsgroup.com/?l=qmail&w=2&r=1&s=joe+job&q=b
> http://marc.theaimsgroup.com/?l=qmail&w=2&r=1&s=faked+from&q=b
>
> Chris
>
