Fake MX records

Michael Huntley michael at huntley.net
Wed Jul 25 05:36:43 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
You can stop the connections by only allowing authenticated clients,
and your mx.hoswaggle.net box.

Cheers!

michael


vinum vesco valens viscus



am.lists wrote:
> I've read that article, and what it suggests has valid thinking
> behind it.
>
> The thing is now that the spammers/crappers/etc know this defense
> tactic they now have a one-up maneuver to outsmart that.
>
> In fact, one tactic I've seen lately is the attempt to deliver mail
> directly to a guessed A record in the domain.
>
> Anecdotal Sample:
>
> domain: hogswaggle.net
> published mx:
>  mx.hogswaggle.net, distance = 5
>  fake.hogswaggle.net, distance = 10
> setup: mx is a mailscanner box that forwards good mail to
> mail.hogswaggle.net. "mail" is not configured to accept mail from
> anyone but: the "mx" server, and anyone who is successfully
> smtp-auth'ed.
>
> reality: we see incoming spam connections coming in on
> mail.hogswaggle.net although this is neither posted publicly, nor has
> it ever been posted in any mx record.
>
> That leads me to believe that spammers are taking
> "bobsmith at hogswaggle.net" and targeting username @ and then prepending
> "mail." target domain and attempting the connection there.
>
> Not sure if anyone else has seen this or not, but I definitely have on
> more than one of my domains.
>
> -Angelo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
 
iD8DBQFGptNafPRuS9a8BkIRAioXAJ0cmbqjfp3UdQNZ4qFY21qnkOLBjQCfZZSU
D+9ZW34c92R2bdoDRSqzBa8=
=pQW7
-----END PGP SIGNATURE-----



More information about the MailScanner mailing list