Christopher Bort wrote:
This is really not a SpamAssassin issue, but since this list is
populated by people who are interested in spammer behavior, I'm throwing
it out for comment. If it's too far off topic, my apologies and I'll let
it go at that.
At $DAYJOB I run a mail server and a name server for several domains,
both our own and for clients. At home, I run a mail server and a name
server for a couple of personal domains. The home name server is a slave
for most of the domains hosted at $DAYJOB. The home mail server is _not_
configured to handle mail for any of the $DAYJOB domains and it is _not_
an MX for any of those domains. The only connection is that it is an NS
for the $DAYJOB domains. These domains _do_ have $DAYJOB mail server as
their MX.
For a while now, I've been seeing attempts to send mail to the home
server for addresses in $DAYJOB domains. This is not a problem since the
volume is low and they are being properly rejected as third-party relay
attempts (authentication required - relay not permitted). However, the
fact that someone is apparently trying to send mail to an NS instead of
an existing MX has piqued my curiosity. It looks like it's all spam (the
sender addresses tend to support that). So, has anyone else seen this
sort of behavior and what could be the rationale for trying to deliver
mail to an NS like this?
it's the same as port scans. they look for open relays. they don't care
if the host is an MX, an NS, a www or anything. they just connect to the
IP and try to relay. I've seen this on hosts that "nobody should have
known about".
On the other hand, I also see attempts to connect to A hosts (thus
ignoring MX definitions) and to old MXes. This is different as there is
no relay attempt.
