I'm in the process of setting up a mail server, which will eventually accept mail for a given domain. I am also changing name servers for said domain (to make use of zoneedit.com).

So far, I have the new server accepting mail for the domain, and the new name server serving records for the domain, including an MX pointing at the new server. However, I haven't updated the domain record, so the authorative nameservers haven't changed.

Despite this, somehow, spammers are already attempting to submit mail for the domain in question to the new MX server. Not only that, but it's targetted at particular users with non-obvious local parts.

The new MX advertises itself as "a-sub-domain.example.org", for values of "example.org", so it's possible in theory to derive "example.org" from the banner. But unlikely.

Are they psychic? Or is a spammer somehow getting notified of new MX records hosted at zoneedit (no matter whether glue records point at them)?


comment 1

What is the greeting banner?

"telnet localhost 25" is your friend ;)

Does it include the domain name?

comment 2
It doesn't advertise the domain in question, but it does advertise a sub-domain, so it's not impossible that the parent was derived. I would have thought that was pretty unlikely (but perhaps most big ISPs have mail.example.com as the banner? Perhaps not as infeasible as I thought). That would not explain correctly guessing the local-part. Unless there's a gigantic DB of local,domain tuples somewhere, and some software has discovered an open port 25, derived the domain from the advertised sub-domain and then joined the dots with their existing local,domain DB? If that's true I might just give up, we've lost!
jmtd [livejournal.com],
comment 3
How about PTR records? Maybe the spammer found an open port 25 and did a reverse DNS lookup, then searched their database for known email addresses with a matching domain? -- Don Marti
Don Marti,