couttsj Posted April 11, 2012 Share Posted April 11, 2012 The good news is that our server is no longer being bombarded by spam originating from servers housed at Network Operations Center in Scranton PA. The domains are still up and running, so I don't know if it's just our server that isn't being targeted, or if it is general in nature. The bad news is that the spam continues from other hosting sites scattered throughout the US, but at a much reduced volume. This is a very sophisticated operation that is likely bypassing most DNSBL servers. The envelope sender (MAIL FROM:), the EHLO domain name, and the IP address all correlate. The reverse address (PTR) is correctly configured, and the mail server is configured to verify that it is capable of receiving email. The domain names used are domains that have recently become available, and all of them have been newly registered at Moniker Privacy Services using the the following DNS servers: ns1.monikerdns.net [208.73.210.41] ns2.monikerdns.net [208.73.211.42] ns3.monikerdns.net [50.57.11.89] ns4.monikerdns.net [50.57.11.88] This has got to be an expensive operation, because the IP addresses are only used once (at least on our server). Using this methodology more than likely allows them to bypass all DNS based Black Lists. I do not have an example of the actual spam because our server does not receive any outside email. If someone has an email that matches this description, I would like to know how they are making enough money to support this operation. J.A. Coutts Link to comment Share on other sites More sharing options...
montagar Posted April 30, 2012 Share Posted April 30, 2012 The domain names used are domains that have recently become available, and all of them have been newly registered at Moniker Privacy Services using the the following DNS servers: J.A. Coutts I noticed this over a year ago. The spammer(s) seem to get entire /24 or so blocks of addresses, since I will see a variety of spams come from the same handful of related addresses (again, all Moniker DNS/Privacy domains) for a period of time. I'm considering null-routing all of Monikers DNS servers, so that even if their spams get through, no one within our network can activate any of the web links for their web sites to enable their addresses to be 'verified'. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.