I'm doing some interesting experimenting and discovered and interesting
way to detect spam bots. It appears that spam bots cache DNS far longer
than ordinary. And that is detectable.
As you know I use several fake high numbered MX records to fool spam
bots into hitting the back door and going away. What most people don't
yet know is that isn't all I do. I actually harvets the spam, return a
fake reject 550 before the final quit (an Exim feature) and forward the
spam off to several blacklist for harvesting, including my own blacklist.
What I'm trying now is changing the high fake MX IP addresses to a
different group of fake IP addresses. My TTL is 5 hours and under normal
conditions mail server shouldn't be hitting the fake MX at all, but what
I'm seeing is that even after the fake IPs are replaced with a new set
that spam bots continue to hit the old fake IP addresses, even several
days later.
I'm thinking that by using shifting IP patterns that one could harvest
spam bot IP addresses directly into blacklists with very high confidence
that good email servers would never go to expired fake high MX records.
I'm doing it on my blacklist which has grown to about 300,000 entries,
and I only keep 3 days of data.
Who finds this concept interesting?
