nanog mailing list archives

Re: Blocking MX query

From: Rich Kulawiec <rsk () gsp org>
Date: Tue, 4 Sep 2012 09:12:40 -0400

On Tue, Sep 04, 2012 at 08:05:06AM -0400, William Herrin wrote:

I also doubt the efficacy of the method. Were this to become common
practice, a spammer could trivially evade it by using his own DNS
software or simply pumping out the address list along with
pre-resolved IP addresses to deliver the mail to. For all I know, they
already do.


You're precisely correct.  They've been doing this for many years,
(a) because it's efficient (b) because it evades detection by techniques
that monitor MX query volume (c) because few MX's change often (d) because
it scales beautifully across large botnets.

---rsk

Current thread:

Blocking MX query Ibrahim (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
  - Re: Blocking MX query Ibrahim (Sep 04)
    - Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Bacon Zombie (Sep 04)
  - Re: Blocking MX query Ibrahim (Sep 04)
    - Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Tony Finch (Sep 04)
- Re: Blocking MX query William Herrin (Sep 04)
  - Re: Blocking MX query Rich Kulawiec (Sep 04)
    - Re: Blocking MX query Jimmy Hess (Sep 04)
    - Re: Blocking MX query Mark Andrews (Sep 04)
    - Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
    - Re: Blocking MX query Mark Andrews (Sep 04)
    - Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
    - Re: Blocking MX query Jimmy Hess (Sep 04)
    - Re: Blocking MX query Mark Andrews (Sep 04)
  - Re: Blocking MX query Jay Ashworth (Sep 04)
    - Re: Blocking MX query Ray Wong (Sep 04)
    - Re: Blocking MX query Suresh Ramasubramanian (Sep 04)

(Thread continues...)