Tuesday, January 6, 2015

Spammers send mail with no installed MX record

I found out something interesting a few days ago. I have a mail-gateway configure for a older domain that I don't use any more. The domain was posted at one time for sale,  so I changed the  NS  entries and delete my original MX entries. The new registrar was populated for the NS of the domain reseller nameservers

I was bit surprised that when I logged into my mail gateway, that I was still collecting hundreds of emails,  but yet the MX record had been removed months ago.

So what this tells me;

1: the spammer builds a mail delivery mapping that's not using a dns MX record

2: or they cache the last success delivery by mail-gateway ip_address and cache this address

So in my  case, the only why to stupid receiving this spam mail, was for me to  shutdown the gateway or remove the  domain from the accept-mail-for domain xyz

Before I go that far, I'm going to harvest a few sender addresses, and build a pie chart of the GEO locations that these senders sits at. This would be a great project for a honeyspot

Stay tune.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       /  \

No comments:

Post a Comment