On 07/21/08 13:04, [EMAIL PROTECTED] (mouss) wrote:
Christopher Bort wrote:
For a while now, I've been seeing attempts to send mail to the
home server for addresses in $DAYJOB domains. This is not a
problem since the volume is low and they are being properly
rejected as third-party relay attempts (authentication
required - relay not permitted). However, the fact that
someone is apparently trying to send mail to an NS instead of
an existing MX has piqued my curiosity. It looks like it's all
spam (the sender addresses tend to support that). So, has
anyone else seen this sort of behavior and what could be the
rationale for trying to deliver mail to an NS like this?
it's the same as port scans. they look for open relays. they don't
care if the host is an MX, an NS, a www or anything. they just connect
to the IP and try to relay. I've seen this on hosts that "nobody
should have known about".
But they don't seem to be randomly looking for any open relay.
If they were just looking for open relays, wouldn't you expect
to see domains in the recipient addresses that have no
connection whatsoever with the target machine? In all of the
relay attempts I'm seeing on this mail server, the recipient
addresses are in domains for which the server is an NS. I don't
see any relay attempts where that is not true which implies, I
think, that they do care that it's an NS. It seems like they're
looking for hosts that will deliver|relay messages for specific
domains, so why don't they just use the existing MX rather than
trying an NS host with which there's no reasonable expectation
that it will relay for the target domain? I suppose they could
be looking for back doors, but that seems like it would be a
very low probability undertaking.
On the other hand, I also see attempts to connect to A hosts (thus
ignoring MX definitions) and to old MXes. This is different as there
is no relay attempt.
The RFCs allow for A hosts to be tried in the absence of MX
records, so there is some rationale for that, however weak it
may be.
--
Christopher Bort
<[EMAIL PROTECTED]>
<http://www.thehundredacre.net/>
