Comments on: Spammers use old MX records

by: Spam Huntress » Blog Archive » Scating on the edge

Thu, 17 Nov 2005 12:51:35 +0000

[…] am Huntress The Norwegian Spam Huntress - Ann Elisabeth « Spammers use old MX records Scating on the edge I got t […]

by: Lemat

Tue, 15 Nov 2005 10:16:55 +0000

as you said - spammers are often looking for hostnames like:
smtp.egzample.tld
mxs.egzample.tld
relay.egzample.tld
gate.egzample.tld
and few other. They are not caching them (AFAIK).
As you described above - it works for them - they are bypasing filters located on the main MXes and sending spam directly to the unprotected POP3 server.

by: kaeng

Tue, 15 Nov 2005 08:09:45 +0000

Matthias: Thank you, now I get it.

by: Newby-spamer

Tue, 15 Nov 2005 04:27:21 +0000

Its very interesting to read your blog. Just like some school for spamers. I guess about 80% of your readers is spamers. I even don’t know is your blog more useful for spamers or for antispamers =)

by: Search Engines Web

Tue, 15 Nov 2005 04:08:21 +0000

The Pay Pal Emails are now so well developed - it is VERY frustrating knowing that people ARE going to be deceived…

Started a Pay Pal Hall of FAME
http://www.techspot.com/vb/topic37131.html

BTW:
could not even call Yahoo Domains to report them - with Go Daddy it was no problem

Oh well….

by: Matthias Leis

Mon, 14 Nov 2005 20:53:14 +0000

I guess the POP3-stuff is somewhat confusing “kaeng”. In a nutshell, the original posting says that some spammers are caching MX (and most likely other DNS records) for too long.

This is a good thing since they will blast some portion of their junk into nowhere land or a training/spamtrap system, as described above where the POP3 server also has an SMTP server where the MX records *used* to point to.

I can confirm this behaviour for our beloved Vanessa. It took the spammer well over a month to discover the new MX records on a couple of domains. Just when I thought that she had deceased, she popped right up again.

by: Administrator

Mon, 14 Nov 2005 20:34:12 +0000

MX records are the mail part of DNS records. It’s what mail servers use to determine where to send mail meant for a domain.

The POP3 server is the server that has user mailboxes on it.

This particular POP3 server is capable to receiving mail as well as delivering it. It reacts to received mail as though it’s the authoritative server for that domain, no matter where it gets the mail frm. With a different setup, that might not be the case. For instance, a POP3 server may be set up to only receive mail from the SMTP gateways - they receive the mail and then send it on via SMTP to the POP3 server.

The POP3 server originally had the MX records. The MX records were then changed to point to the SMTP gateway. They were then changed again to point to a test server, which is where I conduct the Spamassassin tests that I’m talking about here.

For better explanations, see the Explanation of terms page. I put some links to Wikipedia articles on MX and DNS there.

by: kaeng

Mon, 14 Nov 2005 19:12:38 +0000

Sorry, but I don’t get your point. I don’t understand the whole setup. Which server is/was the MX? How are spammers using POP3 for sending mails? From where does the spam come from? Are they using a MX from a DNS record?

Again, sorry. I just don’t get it. Could you please clarify your post? Thanks!