- Date: Tue, 17 Jul 2001 15:54:44 +0200
About a week ago I moved our MX fallback to another host.
That worked fine and nothing strange happened, as expected.
Until around midnight this morning hell broke loose and the
fallback host started relaying tons of spam. The trivial
cause: a last-minute line-for-testing-purposes bypassing
about half of my anti-spam measures inadvertently left in
before going "live"... Damn!
Why did it happen only after a week and without traces of
port scans preceeding the event? Best guess: the new MX
records made it to the outskirts of the planet and/or the
spammers once in X days scan for (new) MX records.
Anyway, here's what followed:
- 00:56:09 first spam relayed
- 06:21:14 open-relay-test by ordb.org
- 07:07:35 open-relay-test by orbl.org
- 12:14:11 open-relay-test by mail-abuse.org
No trace of open-relay-tests by orbz.org, osirusoft.com or
MAPS was too late, since I had blocked the hole already.
So that left only ordb.org and orbl.org to inform to get us
off their blacklists, so that's manageable. But what this
clearly demonstrates is the risk of ORBS "spinoffs": right
now there are "only" 5 of them, but what if sooner or later
there are 88 of them? This is exactly why I'm in favour of
central control, or at least close cooperation: one message
to a central address should do to get a fixed relay off all
the blacklists. Otherwise the means might well become worse
than the problem.