Charles Gregory a écrit : > On Mon, 4 May 2009, Michael Scheidell wrote: >> No, actually, 'exampleBETA.tld' is invalid. >> (hint: without real domain names, no one can help you) > > I believe my descriptions are sufficiently precise that knowing the > actual domain names is irrelevant. However, you may substitute > 'hwcn.org' for 'alpha' and 'torfree.net' for 'beta' if you wish to test > any ideas. > >> It could be any number of things.. Is 'exmapleBETA.tld' an a record >> for the dns servers? Are the dns servers a records for the mx records? > > You may presume any combination of A records and CNAME records you wish. > All MX records for torfree.net point to 'mail.torfree.net' (beta). So a > spammer (or anyone else) could only end up trying to make an SMTP > connection to *my* (hwcn.org|alpha) mail server by doing something > 'stupid' with the tertiary DNS server entry on the registration for > torfree.net - either: > > 1) Looking up the "A" record for the tertiary, and just using that, or, > 2) Making note of the *name* of our domain (hwcn.org) on the tertiary > listing and looking up our MX by name, in *hopes* that it will accept > mail for 'torfree.net'. > As our MX and DNS are the same server, I wouldn't be able to tell the > difference between the two.... >
maybe the spammer didn't pay for the "premium" spamware version ;-p > Naturally, our server says 'relaying denied', but I see this sort of > 'illegal' lookup of an SMTP server as a great honeypot opportunity... > yes. just from the MTA logs, you get a list of IPs to "suspect" (at least). if you accept their mail, you get more.
