Blocking MX query

Rich Kulawiec rsk at gsp.org
Tue Sep 4 13:12:40 UTC 2012


On Tue, Sep 04, 2012 at 08:05:06AM -0400, William Herrin wrote:
> I also doubt the efficacy of the method. Were this to become common
> practice, a spammer could trivially evade it by using his own DNS
> software or simply pumping out the address list along with
> pre-resolved IP addresses to deliver the mail to. For all I know, they
> already do.

You're precisely correct.  They've been doing this for many years,
(a) because it's efficient (b) because it evades detection by techniques
that monitor MX query volume (c) because few MX's change often (d) because
it scales beautifully across large botnets.

---rsk




More information about the NANOG mailing list