[dns-operations] can anybody think of what antispam purpose this RRset might be serving

Bruce Campbell bc-dns at vicious.dropbear.id.au
Thu Dec 21 07:42:03 UTC 2006

On Wed, 20 Dec 2006, Paul Vixie wrote:

> colour me puzzled.  rrset ttl's are minimized by compliant initiators, so
> the MX RRset here has ttl 0.  but maybe there's spamware or malware out there
> that doesn't respect this, and this is the indirect way i'm hearing about it?

Two possible reasons; one is that the domain is legit, and the domain 
admin has hit upon using a low TTL to be able to quickly swap their MX 
from a failed host to another host.  Possibly they intended to apply the 
low TTL on the primary MX, but got confused as to which way the priority 
numbers go.

Second possible; the domain has been set up to be the apparent sender in a 
spam run, and the intention is to dump the bounces from destination mail 
servers at various victim mail servers for a secondary DoS effect, 
changing them through the run depending on who they're annoyed at.

   Bruce Campbell.

> ; <<>> DiG 9.4.0b4 <<>> @ thislittlepiggy.co.uk. in mx
> thislittlepiggy.co.uk.  0       IN      MX      50 smtp01.hostinguk.net.
> thislittlepiggy.co.uk.  43200   IN      MX      10 mail5.hostinguk.net.

More information about the dns-operations mailing list