I run a gateway configuration with clients changing their entire MX record to my
servers, which in turn point back to the client's server. In this way, clients don't
need to change anything else on their end and everyone is happy. The original email
server stays wide open and no one is the wiser, until:
A client changed their MX record away from me, then later back to me (they tried to go
it alone). Since then, spammers have been sending some spam directly to their server,
ignoring the MX record and bypassing my servers/filters all together. I wasn't to
worried about it until it happened again, a different clients ISP accidentally changed
the MX record, then switched it back - and spam started going around.
The fix is for the client to firewall block IPs that aren't mine but this doesn't feel
right. Is there something about DNS/MX switching that might explain how a spammer was
able to target a clients IP address based soley on on/off/on record change?
Thanks
Dan
On Friday, July 18, 2003 10:22, Russ Uhte <[EMAIL PROTECTED]> wrote:
>
>>What is happening here is that the spammer is using their own software
>>("spamware") to send the spam. Knowing that many people don't scan E-mail
>>that comes through their backup mailserver(s), their spamware chooses to
>>try the backup mailservers first.
>>
>>If your Exchange server isn't running any anti-spam or anti-virus, I would
>>recommend removing it from the MX record.
>
>Here's my .02. Usually this spamware will do a normal DNS lookup and
>choose the MX record with the highest priority (which is wrong.) Make a
>4th MX record that has the highest priority, and point it at your primary
>mail server. This will usually trick the spamware into sending to your
>primary mail server, and still keep your redundancy with real
>mailservers!!
>
>-Russ
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list. To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail". The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
