[156009] in North American Network Operators' Group
Re: Blocking MX query
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Tue Sep 4 09:13:37 2012
Date: Tue, 4 Sep 2012 09:12:40 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <CAP-guGWLngf6HY3Yano0TNKpPs5c_Efbkswck+T-yw2Drodf8Q@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Sep 04, 2012 at 08:05:06AM -0400, William Herrin wrote:
> I also doubt the efficacy of the method. Were this to become common
> practice, a spammer could trivially evade it by using his own DNS
> software or simply pumping out the address list along with
> pre-resolved IP addresses to deliver the mail to. For all I know, they
> already do.
You're precisely correct. They've been doing this for many years,
(a) because it's efficient (b) because it evades detection by techniques
that monitor MX query volume (c) because few MX's change often (d) because
it scales beautifully across large botnets.
---rsk
