« What’s on display in your wallet?
Scating on the edge »

Spammers use old MX records

I’ve mentioned this before, but I just got a huge lesson in the importance of being aware of this:

Spammers use old MX records to try and circumvent spam filters.

Why? Let’s take a typical example:

exampledomain once had MX records that went directly to the POP3 server. Nothing wrong with that, and it was done for a specific purpose - once upon a time. Except the domain soon started picking up spam. The mailhosting company had SMTP gateway servers, designed to filter viruses and tag spam, and the incoming spam bypassed them.

So, eventually I come along and discover that this domain was a major spam magnet due to some spam runs with forged from addresses using that domain.

About two months after the MX records were changed, a lot of spam is still going through the POP3 server. It’s the final hop in the chain, so the spammers are confident it’ll reach the intended targets. Of course, most of the addresses no longer exist, but that’s another matter.

I should note that the servers previously used in the MX records still have the same names. mail.exampledomain.com or similar. They probably would have stopped using the old MX records if the names no longer resolved.

And that’s why it’s such a good test domain for testing out SpamAssassin on a separate server.

Only I couldn’t figure out why it let so many messages through without tagging them. Didn’t matter if I trained it, the same type of messages still kept coming, untagged.

The headers revealed that the messages never went near the server in the MX record.

Here are some spammers that tend to use out of date MX records, when they work:

Various permutations of:
Rolex watches

Lots of spam from:
Vanessa J. Smith

Lots of software spam, in particular:
Office software
Adobe Photoshop
Windows XP

Looks like a pattern to me. Same spammer, or a subset of spammers?

This entry was posted on Monday, November 14th, 2005 at 12:36 pm and is filed under Mail spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “Spammers use old MX records”

  1. kaeng Says:
    November 14th, 2005 at 1:12 pm

    Sorry, but I don’t get your point. I don’t understand the whole setup. Which server is/was the MX? How are spammers using POP3 for sending mails? From where does the spam come from? Are they using a MX from a DNS record?

    Again, sorry. I just don’t get it. Could you please clarify your post? Thanks!

  2. Administrator Says:
    November 14th, 2005 at 2:34 pm

    MX records are the mail part of DNS records. It’s what mail servers use to determine where to send mail meant for a domain.

    The POP3 server is the server that has user mailboxes on it.

    This particular POP3 server is capable to receiving mail as well as delivering it. It reacts to received mail as though it’s the authoritative server for that domain, no matter where it gets the mail frm. With a different setup, that might not be the case. For instance, a POP3 server may be set up to only receive mail from the SMTP gateways - they receive the mail and then send it on via SMTP to the POP3 server.

    The POP3 server originally had the MX records. The MX records were then changed to point to the SMTP gateway. They were then changed again to point to a test server, which is where I conduct the Spamassassin tests that I’m talking about here.

    For better explanations, see the Explanation of terms page. I put some links to Wikipedia articles on MX and DNS there.

  3. Matthias Leis Says:
    November 14th, 2005 at 2:53 pm

    I guess the POP3-stuff is somewhat confusing “kaeng”. In a nutshell, the original posting says that some spammers are caching MX (and most likely other DNS records) for too long.

    This is a good thing since they will blast some portion of their junk into nowhere land or a training/spamtrap system, as described above where the POP3 server also has an SMTP server where the MX records *used* to point to.

    I can confirm this behaviour for our beloved Vanessa. It took the spammer well over a month to discover the new MX records on a couple of domains. Just when I thought that she had deceased, she popped right up again.

  4. Search Engines Web Says:
    November 14th, 2005 at 10:08 pm

    The Pay Pal Emails are now so well developed - it is VERY frustrating knowing that people ARE going to be deceived…

    Started a Pay Pal Hall of FAME
    http://www.techspot.com/vb/topic37131.html

    BTW:
    could not even call Yahoo Domains to report them - with Go Daddy it was no problem

    Oh well….

  5. Newby-spamer Says:
    November 14th, 2005 at 10:27 pm

    Its very interesting to read your blog. Just like some school for spamers. I guess about 80% of your readers is spamers. I even don’t know is your blog more useful for spamers or for antispamers =)

  6. kaeng Says:
    November 15th, 2005 at 2:09 am

    Matthias: Thank you, now I get it.

  7. Lemat Says:
    November 15th, 2005 at 4:16 am

    as you said - spammers are often looking for hostnames like:
    smtp.egzample.tld
    mxs.egzample.tld
    relay.egzample.tld
    gate.egzample.tld
    and few other. They are not caching them (AFAIK).
    As you described above - it works for them - they are bypasing filters located on the main MXes and sending spam directly to the unprotected POP3 server.

  8. Spam Huntress » Blog Archive » Scating on the edge Says:
    November 17th, 2005 at 6:51 am

    […] am Huntress The Norwegian Spam Huntress - Ann Elisabeth « Spammers use old MX records Scating on the edge I got t […]

Leave a Reply