Hi Pat: >> The fix is for the client to firewall block IPs that aren't mine but this doesn't feel right. <<
Why not? If INDEED their IP address is not listed on any domain's MX record, then this server should indeed only accept contacts from your IP range. Any other contact is either a SPAM, dictionary, virus or hack attack. Not only does it feel right - but it is recommend practice to block ANY ports (and/or addresses) that are not used for legitimate purposes on a particular machine. As far as that server still being used..., yes, that is somewhat unusual. However, possible explanations include that the machine is or once was an open proxy, an open relay (and thus is traded between spammers as a known friendly entity), or, that the client has OTHER domain names that may have MX record pointing to this server. Finally, without knowing the domain names, we even have to allow for the fact, that not all authoritative name servers have current and valid zone information. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Friday, July 18, 2003 05:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Musical MX Records I run a gateway configuration with clients changing their entire MX record to my servers, which in turn point back to the client's server. In this way, clients don't need to change anything else on their end and everyone is happy. The original email server stays wide open and no one is the wiser, until: A client changed their MX record away from me, then later back to me (they tried to go it alone). Since then, spammers have been sending some spam directly to their server, ignoring the MX record and bypassing my servers/filters all together. I wasn't to worried about it until it happened again, a different clients ISP accidentally changed the MX record, then switched it back - and spam started going around. The fix is for the client to firewall block IPs that aren't mine but this doesn't feel right. Is there something about DNS/MX switching that might explain how a spammer was able to target a clients IP address based soley on on/off/on record change? Thanks Dan On Friday, July 18, 2003 10:22, Russ Uhte <[EMAIL PROTECTED]> wrote: > >>What is happening here is that the spammer is using their own software >>("spamware") to send the spam. Knowing that many people don't scan E-mail >>that comes through their backup mailserver(s), their spamware chooses to >>try the backup mailservers first. >> >>If your Exchange server isn't running any anti-spam or anti-virus, I >>would >>recommend removing it from the MX record. > >Here's my .02. Usually this spamware will do a normal DNS lookup and >choose the MX record with the highest priority (which is wrong.) Make a >4th MX record that has the highest priority, and point it at your primary >mail server. This will usually trick the spamware into sending to your >primary mail server, and still keep your redundancy with real >mailservers!! > >-Russ > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
