[anti-spam-wg@localhost] abusing DNSBLs for efficient spamming

[Markus Stumpf <]

Sorry if these are no news, but I haven't seen it mention before.
I also have no real evidence ...

I have the impression that spammers abuse RBLs to do the "dirty"
and time and resources consuming work.

A while back I saw scans for port 25. This also happend on a new installed
machine with a fresh IP address that hasn't been in use before. A few
days after that massive relay testing started from various free DNSBLs.

Seems like a good trick to me.
Scan an netblock for connections to port 25.
Save the positives away and do distributed randomzied lookups of the positives
in various free DNSBLs. Mark the ones that are listed for later abuse.
The ones that are not listed submit for testing to those DNSBLs.
After a while recheck those hosts in the DNSBLs or wait for their email
answer about the results.

That way one don't need a few 100 dummy accounts and a lot of time and
ressources to do relay tests and pretends to be a good guy.

The drawback is that they loose some recipients that use the DNSBLs for
blocking/tagging but I'd think that doesn't really hurt them.

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"