kremels at kreme.com
Sat Feb 10 17:26:31 UTC 2018
On 2018-02-09 (21:11 MST), John Levine <johnl at iecc.com> wrote:
> In article <mailman.459.1518222411.749.bind-users at lists.isc.org> you write:
>> For the record, the issue is not RBLs or legitimate domains, it is =
>> spammer scum that set super-low DNS because they are shotgunning spam =
>> from a a vast botnet and they want to have maximal impact, so you get a =
>> different IP for every spam they send. It is a way of trying to =
>> overwhelm a machines tarpits, blacklists, sshguard protections, and =
> Um, you have it completely backward.
No, I don't.
AS I explained upthread, the mechanism works something like this.
buy garbage domain. Setup DNS with a TTL of 1S and have the IP change to random machines on your botnet.
Spew Spam at a single mail server.
The target, instead of very quickly rejecting the spam because of the lack of a domain or the lack of DNS, instead has to deal with thousands of different IPs.
Everyone of those is going to hit scammer scums DNS servers.
At some point those thousands (tens of thousands? hundreds of thousands?) requests are going to have a serious impact on your mail server. Meanwhile, you are giving spammer scum a lot of information about how much traffic your server can deal with since they can easily see when your responses start to slow down.
> Botnets are computers with IP addresses. They don't need DNS pointing at them to send spam.
They do to send spam to any mail admin with even half a brain who would not accept unauthenticated mail from an IP without an actual domain attached.
> I hope you're not planning to do much spam filtering.
a 5s TTL will not make an appreciable effect on RBLs
If you mixed vodka with orange juice and Milk Of Magnesia, would you get
a Philip's Screwdriver?
More information about the bind-users