Fake MX records

Glenn Steen glenn.steen at gmail.com
Wed Jul 25 09:08:46 IST 2007


On 25/07/07, Glenn Steen <glenn.steen at gmail.com> wrote:
> On 25/07/07, am.lists <am.lists at gmail.com> wrote:
> > I've read that article, and what it suggests has valid thinking behind it.
> >
> > The thing is now that the spammers/crappers/etc know this defense
> > tactic they now have a one-up maneuver to outsmart that.
> >
> > In fact, one tactic I've seen lately is the attempt to deliver mail
> > directly to a guessed A record in the domain.
> >
> > Anecdotal Sample:
> >
> > domain: hogswaggle.net
> > published mx:
> >   mx.hogswaggle.net, distance = 5
> >   fake.hogswaggle.net, distance = 10
> > setup: mx is a mailscanner box that forwards good mail to
> > mail.hogswaggle.net. "mail" is not configured to accept mail from
> > anyone but: the "mx" server, and anyone who is successfully
> > smtp-auth'ed.
> >
> > reality: we see incoming spam connections coming in on
> > mail.hogswaggle.net although this is neither posted publicly, nor has
> > it ever been posted in any mx record.
> >
> > That leads me to believe that spammers are taking
> > "bobsmith at hogswaggle.net" and targeting username @ and then prepending
> > "mail." target domain and attempting the connection there.
> >
> > Not sure if anyone else has seen this or not, but I definitely have on
> > more than one of my domains.
> >
> > -Angelo
> Might be harvested from the Received: lines, no? From a mailing list
> or some such?
> Wouldn't be completely infeasible:)
>
Just to clarify, I'm not telling you to "doctor" your Received lines,
just pointing to a potential/intentional "leak" of such information.
One _could_ make sure those Received lines were ... not there... but
then one would be breaking one of the few cardinal rules of the RFC...
Not that that would stop some from doing it (nor should it!;) ... :-).

Once the $ENTRAPPED_SPIRIT has left the $CONTAINER ... there's not
much to do. Depending on your userbase, you could pehaps make a "clean
sweep"... Change thi IP on the backend mail host, firewall port 25 and
tell them to use your nice pre-configured package .... Really yucky
option, I know:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list