Sneaky Spammers...?

Sean Embry sean at NISD.NET
Mon Mar 3 14:33:26 GMT 2003


>>> Kevin.Spicer at BMRB.CO.UK 03/02/03 10:47AM >>>
> I don't know whether this is a new ploy, or just one I haven't
noticed before as I've got rather better reporting in place now (and one
of the mails in
> question landed in my inbox!)...

It's not all that new. I've been seeing this for a while. It's being
discussed on News.Admin.Net-Abuse-Email.

> Like (I guess) many sites our primary MX is our border mailscanner
(actually its also our secondary as its has addresses on two internet
connections) and
> our ISP provides two fallback mailservers, which in the event of
failure queue up mail and forward on to our MailScanner when it comes
back up.  I've just
> noticed that some enterprising spammer seems to have decided its a
good idea to send mail directly to these servers and let them forward on
to our
> primary MX.  I'm fairly sure that this is what is happening, as a
quick grep of our maillogs suggests that only spam is being recieved
from the backup MX's
> (suggesting that the primary MX was in fact available throughout).

This is likely. Spammmers have tried to use higher priority mail
servers because:
1. The are likely to be less critical in rejecting spam
2. Mail admins frequently forget to update local blocks on all MX's.
3. The servers are normally less loaded and can therefore take greater
amounts of spam in less time.

snip

I'm thinking of making the higher priority mail exchangers refuse (with
a 4xx) e-mail for the primary if the primary looks to be up.
Since only spammers won't queue mail this should affect only spammers.

Legitimate e-mail will go to the lowest priority MX, or it's broken
anyway.

About the only MTA I've seen that will try to use a higher priority MX
with the lowest is up and accepting
is Exchange Server, and not all of them do that. I don't know why some
do, and some don't.

Sean



More information about the MailScanner mailing list