At 12:40 AM 4/5/2005 +0200, you wrote:
Abigail Marshall wrote:I have a question. I have a domain on a VPS1 -- we'll call it mydomain.com About 10 months ago, I changed mx records to VPS2, that is named mail.mydomain.com -- mydomain.com has been removed from the local-host-names file on the VPS1 and I have had no problem receiving email sent to mydomain.com I just noticed that the messages file on the VPS1 has a significant number of "User unknown" bounce messages for mail to the main email addresses at mydomain.com - forpurposes of discussion we'll call it <mailto:sales@xxxxxxxxxxxx>sales@xxxxxxxxxxxxHowever, these look like they are coming from spammers, not legit emailers. They have weird combinations of letters in the return email address - <mailto:fhj521@xxxxxxx>fhj521@xxxxxxx or<mailto:feipo1230@xxxxxx>feipo1230@xxxxxx - or come from ISPs in China. I have never had any complaint of mails to <mailto:sales@xxxxxxxxxxxx>sales@xxxxxxxxxxxx not gettingto its intendent recipient. So my question is - technically speaking - is there a way that spammers get around or avoid mx records, connecting directly with the server on the basis of host name? I basically want to know how this mail is getting to the mydomain.com server in the first place. (Of course, it's fine with me if all the spam mail bounces, but I'm still curious, in part because I'm wondering if there is any way legit mail could also end up coming to the mydomain.com server - rather than being routed by MX records to mail.mydomain.com. (NOTE: there is only ONE MX record specified for this domain) -Abigail ======================================================================This is <mailto:vps-mail@xxxxxxxxxxxx><vps-mail@xxxxxxxxxxxx> <http://www.perlcode.org/lists/>Before posting a question, please search the archives (see above URL).hi,i saw also this kind of thing. I moved a domain to a vps v2 and still getting messages for the account days after the MX move. I bet that to have less burden on their DNS spammers use TTL of very large value (perhaps month old) betting that they do not change often and then simply directly hit the IP in memory. At least this was my thinking as 100% of the received emails were spams and normal mails were getting to the vps v2 just fine.Best regards, Ghislain.
The weird combinations are "dictionary" type attacks on random addresses, presumably hoping to slip through to a catchall or postmaster. Why spammers think that anyone handling catchall or postmaster mail would be taken in by it any more is beyond me.
I've seen this spamming technique on VPS1's as well - mailing directly to the server ignoring the MX records. I originally assumed all such mail was spam, but not always so.
The way I handle this (for my clients who pay for the service) is as follows:-I route all emails (using MX10) through a separate server which uses Spamassassin and MailScanner to filter spam/viruses, then deliver to the server on which my client's mailbox resides. Anything which does not carry the id of that filtering server is diverted using procmailrc to postmaster@xxxxxxxx, which forces it off the server and through the filters where it gets disposed of it automatically.
As a tiny percentage of these are "genuine" emails, they do need to be filtered and not automatically junked!
Andy -------------------------------------------------------------------- PROTEUS - new anti-spam, anti-virus solution www.proteus.lu FOCUS Internet Services Domains, Design, Hosting, Custom Applications, E-Commerce 106 rue de Mersch, L-8181 KOPSTAL, Luxembourg tel. (+352) 305 197 fax (+352) 305 188www.focus.lu
====================================================================== This is <vps-mail@xxxxxxxxxxxx> <http://www.perlcode.org/lists/> Before posting a question, please search the archives (see above URL).