[dns-operations] can anybody think of what antispam purpose this RRset might be serving
Bruce Campbell
bc-dns at vicious.dropbear.id.au
Thu Dec 21 07:42:03 UTC 2006
On Wed, 20 Dec 2006, Paul Vixie wrote:
> colour me puzzled. rrset ttl's are minimized by compliant initiators, so
> the MX RRset here has ttl 0. but maybe there's spamware or malware out there
> that doesn't respect this, and this is the indirect way i'm hearing about it?
Two possible reasons; one is that the domain is legit, and the domain
admin has hit upon using a low TTL to be able to quickly swap their MX
from a failed host to another host. Possibly they intended to apply the
low TTL on the primary MX, but got confused as to which way the priority
numbers go.
Second possible; the domain has been set up to be the apparent sender in a
spam run, and the intention is to dump the bounces from destination mail
servers at various victim mail servers for a secondary DoS effect,
changing them through the run depending on who they're annoyed at.
--
Bruce Campbell.
> ; <<>> DiG 9.4.0b4 <<>> @217.194.209.4 thislittlepiggy.co.uk. in mx
> ;; ANSWER SECTION:
> thislittlepiggy.co.uk. 0 IN MX 50 smtp01.hostinguk.net.
> thislittlepiggy.co.uk. 43200 IN MX 10 mail5.hostinguk.net.
More information about the dns-operations
mailing list