Sneaky Spammers...?

Mike Kercher mike at CAMAROSS.NET
Sun Mar 2 16:59:51 GMT 2003


It looks to me like mail is rejected at the MTA by DNS blacklists.  The spam
is then routed to the backup MX and it seems that when mail hits the
secondary MX (even though the originating server was blacklisted), the
backup allows the spam in because it is only spooling for the domain (for
some reason).  I may have this explanation all screwed because I just woke
up, but I see this all the time as I do backup MX for lots of domains where
the primary is also running MS/SA/DNSBL's.



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Spicer, Kevin
Sent: Sunday, March 02, 2003 10:47 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Sneaky Spammers...?


I don't know whether this is a new ploy, or just one I haven't noticed
before as I've got rather better reporting in place now (and one of the
mails in question landed in my inbox!)...

Like (I guess) many sites our primary MX is our border mailscanner (actually
its also our secondary as its has addresses on two internet connections) and
our ISP provides two fallback mailservers, which in the event of failure
queue up mail and forward on to our MailScanner when it comes back up.  I've
just noticed that some enterprising spammer seems to have decided its a good
idea to send mail directly to these servers and let them forward on to our
primary MX.  I'm fairly sure that this is what is happening, as a quick grep
of our maillogs suggests that only spam is being recieved from the backup
MX's (suggesting that the primary MX was in fact available throughout).

I noticed also that mailstats.pl lists the two fallback servers as no.1 and
no.3 on the list of 'blocked' IP's (fortunately I turned blocking off when I
installed it).  This could have serious consequences for anyone who is using
this, or other scripts, to block spam relays, as should their primary MX
(MailScanner) - or its internet connection - go down the seconary MX would
then accept mail which it would be prevented from delivering once the
primary MX came back up! [David, this is why I've copied you on this, as I'm
not sure if you're currently on the MS list]

It's debatable whether scripts that block based on IP's logged by
MailScanner need to account for this or whether MS should refrain from
logging the IP of hosts that are fallback MX's for the domain(s)(?)  I did
notice that the MS spam log entry suggests that the IP of our fallback MX's
belongs the the domain of the spammers (forged) address rather than
reflecting its reverse DNS name - which is also misleading.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




More information about the MailScanner mailing list