Fake MX records

am.lists am.lists at gmail.com
Wed Jul 25 04:39:25 IST 2007


I've read that article, and what it suggests has valid thinking behind it.

The thing is now that the spammers/crappers/etc know this defense
tactic they now have a one-up maneuver to outsmart that.

In fact, one tactic I've seen lately is the attempt to deliver mail
directly to a guessed A record in the domain.

Anecdotal Sample:

domain: hogswaggle.net
published mx:
  mx.hogswaggle.net, distance = 5
  fake.hogswaggle.net, distance = 10
setup: mx is a mailscanner box that forwards good mail to
mail.hogswaggle.net. "mail" is not configured to accept mail from
anyone but: the "mx" server, and anyone who is successfully
smtp-auth'ed.

reality: we see incoming spam connections coming in on
mail.hogswaggle.net although this is neither posted publicly, nor has
it ever been posted in any mx record.

That leads me to believe that spammers are taking
"bobsmith at hogswaggle.net" and targeting username @ and then prepending
"mail." target domain and attempting the connection there.

Not sure if anyone else has seen this or not, but I definitely have on
more than one of my domains.

-Angelo


More information about the MailScanner mailing list