Ha! I tried posting some log lines and they got rejected because of SURBL hits! :)
Here goes again... remove the capital X from domain names and IP addresses :) On Thu, 03 Feb 2011 16:51:15 -0500 Adam Moffett <adamli...@plexicomm.net> wrote: > That's an interesting point of view. It was suggested on this list > fairly recently to publish a fake secondary MX as a way to reduce > spam. The stated reason being that some spamming software hits the > backup MX first and if that doesn't work will give up without trying > any others. Right, but if you use an RFC-1918 address and your main MX's are down for some reason, your mail might end up in some stranger's hands... think about it. > Out of curiosity, did you start blocking those because you saw that > as a pattern in spam email or is it more a matter of principle? Definitely a spam pattern. Some logs with private info scrubbed (these all publish an MX resolving to 127.0.0.1): 2011-01-03T00:04:18.230501-05:00 p0354G2P030889: what=rejected, city=Ludhiana, country_code=IN, detail=127.0.0.1;127.0.0.1, reason=bogus-mx, relay=117X.199X.111X.187X, sender=talky479187decont...@partenairex-entreprisex.frx 2011-01-03T08:03:36.235357-05:00 p03D3Y9k030611: what=rejected, city=Johannesburg, country_code=ZA, detail=127.0.0.1, reason=bogus-mx, relay=196X.215X.88X.81X, sender=viagra.pro....@mblnewsx.dex 2011-01-03T08:04:03.403712-05:00 p03D42YQ030797: what=rejected, city=Caransebes, country_code=RO, detail=127.0.0.1, reason=bogus-mx, relay=89X.123X.32X.95X, sender=cannery393905extradita...@northwest-winex.comx Those all look pretty spammy to me. We also see some that publish an MX resolving to 255.255.255.255. Even the RFC-1918 ones look pretty bogus to me from our logs. Example: 2011-01-06T03:27:39.901570-05:00 p068RbjC030855: what=rejected, country_code=GB, detail=172.31.32.250, reason=bogus-mx, relay=109X.169X.41X.89X, sender=esantaf...@hitlocodirectx.comx Regards, David.
