"Alan J. Flavell" <[EMAIL PROTECTED]> said, in message [EMAIL PROTECTED]: > > [1] Incidentally, we had some clear evidence that spammers keep old > lists of MX lookups, instead of looking-up in real time - so it could > be beneficial to regularly change one's MX IPs, and letting them try > to offer the mail to last month's IP which has now gone away ;-)
I've been meaning to do something like this for a while. The corollory would be, after moving the IP, to firewall the old IP and watch the firewall logs. Anyone hitting the old IP (after some reasonable grace period) on port 25 is pretty much bound to be a spammer/zombie and can be added to a local blacklist. Out of interest, I knocked together that part of the code yesterday morning. It actually looks for ALL blocked port 25 probes against our site. The blacklist now holds 308 IP addresses that have tried to talk to our old MX IP's. The old IPs were removed from our MX record in September 2003! Another interesting finding is that 462 IP addresses have tried to talk to machines which are listed in the A record for aber.ac.uk. These have also been added to the blacklist, but I can't decide whether that's a good thing to do (is there ANY legitimate reason to hit the A record rather than the MX record?!). The blocklist now contains 1911 records, gathered in 23 hours. It's tempting to make it into some form of DNSBL actually... Cheers, Alun. p.s. Make that 1915 entries - 4 more appeared while I was proofreading this! -- Alun Jones [EMAIL PROTECTED] Systems Support, (01970) 62 2494 Information Services, University of Wales, Aberystwyth -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
