I found out something interesting a few days ago. I have a mail-gateway configure for a older domain that I don't use any more. The domain was posted at one time for sale, so I changed the NS entries and delete my original MX entries. The new registrar was populated for the NS of the domain reseller nameservers
I was bit surprised that when I logged into my mail gateway, that I was still collecting hundreds of emails, but yet the MX record had been removed months ago.
So what this tells me;
1: the spammer builds a mail delivery mapping that's not using a dns MX record
2: or they cache the last success delivery by mail-gateway ip_address and cache this address
So in my case, the only why to stupid receiving this spam mail, was for me to shutdown the gateway or remove the domain from the accept-mail-for domain xyz
Before I go that far, I'm going to harvest a few sender addresses, and build a pie chart of the GEO locations that these senders sits at. This would be a great project for a honeyspot
Stay tune.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment