Fake MX records

Glenn Steen glenn.steen at gmail.com
Wed Jul 25 08:57:32 IST 2007


On 25/07/07, am.lists <am.lists at gmail.com> wrote:
> I've read that article, and what it suggests has valid thinking behind it.
>
> The thing is now that the spammers/crappers/etc know this defense
> tactic they now have a one-up maneuver to outsmart that.
>
> In fact, one tactic I've seen lately is the attempt to deliver mail
> directly to a guessed A record in the domain.
>
> Anecdotal Sample:
>
> domain: hogswaggle.net
> published mx:
>   mx.hogswaggle.net, distance = 5
>   fake.hogswaggle.net, distance = 10
> setup: mx is a mailscanner box that forwards good mail to
> mail.hogswaggle.net. "mail" is not configured to accept mail from
> anyone but: the "mx" server, and anyone who is successfully
> smtp-auth'ed.
>
> reality: we see incoming spam connections coming in on
> mail.hogswaggle.net although this is neither posted publicly, nor has
> it ever been posted in any mx record.
>
> That leads me to believe that spammers are taking
> "bobsmith at hogswaggle.net" and targeting username @ and then prepending
> "mail." target domain and attempting the connection there.
>
> Not sure if anyone else has seen this or not, but I definitely have on
> more than one of my domains.
>
> -Angelo
Might be harvested from the Received: lines, no? From a mailing list
or some such?
Wouldn't be completely infeasible:)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list