Re: [Asrg] Spammer proxies using legitamate mail relays

[Tony Finch <dot at dotat.at>]

James Lick <jlick at drivel.com> wrote:
>
>It looks at the hostname of the proxy, e.g. adsl-63-29.someisp.com,
>looks up the MX for someisp.com and sends through that.  This has a few
>problems in that the domain of the ISP's clients and the domain of their
>e-mail infrastructure could be different.  Also MX is for incoming
>email, not necessarily outgoing email.  An ISP which blocked their
>client systems from sending out through the incoming MX could defeat
>this until the software gets smarter.

We observed this attack in September. I'm not sure if the machine being
used by the spammers was a zombie or an open SOCKS proxy - I think the
latter, based on information from an external blacklist and based on
our fairly effective anti-virus protection. Fortunately earlier last
year I had split our MX and our smarthost so I could lock down the MX
properly. I very much recommend that others do so too.

The next pro-active defence is to add some kind of rate limiting...

Tony.
-- 
f.a.n.finch  <dot at dotat.at>  http://dotat.at/
SHETLAND ISLES: SOUTHWEST 6 OR 7, OCCASIONALLY GALE 8 AT FIRST, VEERING WEST 4
OR 5, OCCASIONALLY 6 IN NORTH WEATHER: RAIN CLEARING TO OCCASIONAL SHOWERS
VISIBILITY: MODERATE BECOMING MAINLY GOOD. ROUGH BECOMING VERY ROUGH IN WEST
AND NORTH

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg