In message <40972.203.97.112.6.1131571888.squirrel(a)webmail.blakjak.net>, "Mark Foster" writes:
I thought that most malware did its own MX lookups and relayed directly? Aka bypassing the SMTP relay provided by infected-parties ISP?
There's at least one common variant around now which seems to relay via the ISP mail servers. I notice it mainly through the reflections, including some where that ISP's mail server apparently tried to deliver to some nonexistant user at my domain, got rejected, and so instead delivers a bounce message to the (forged) from address at the same domain (which happens to exist; if that one didn't exist either I'd never see it). I'm not sure how much longer relaying mail without scanning it first (and rejecting anything that doesn't pass at SMTP time) is going to be a viaable strategy for both incoming and outgoing mail relays. Either that or dynamic IP addresses going away, so it's possible to assign reputation right back to the originating machine. Ewen