This is the reply to a person who wanted to stay anonymous.
I am posting the reply here, with his name bleached, because it may help similar readers. On 12/14/15 4:42 PM, R.H. (privat) wrote: >http://marc.info/?l=postfix-users&m=144978027304340&w=2 >> Run a "proper" e-mail server, that is, one that sends and receives > bullshit, on any proper and larger mail-infrastructure yu have > inbound and outbound mailservers *strictly* seperated and hence > *please* for the sake of the internet refrain from maintain public > mailservers with your attitude especially after "Do not trust the > advice of self-appointed experts" while proven experts explained > you how mail work Are you paying attention? The topic of this thread is how to reject e-mail from spambots. You can certainly scale your "e-mail server" in any way you please, including the division of its inbound and outbound subsystems. My point is that your outbound subsystem needs to be sufficiently polite to inform your e-mail clients about where is your inbound subsystem. In fact, unless you are Apple, who owns its IPs, and serves as its own ISP, you are served by one or more providers, using/sharing their IPs, and therefore, you cannot simply divide the two subsystems and pretend the world to *read your mind* to understand that you are a proper e-mail server, instead of a spambot. For the sake of this thread, I used the term "proper e-mail server" to divide you from the spambot. In fact, the difference between a spambot and a "proper e-mail server" is, that the spambot is a *send-only* system, a cloud of possibly infected clients, each one sending e-mails using a telnet-like application. If your Windows PC is infected by a virus that turned it into a spambot node, then your PC is sending e-mails to all of your contacts, possibly including a copy of itself (the virus), requests for money on your behalf, and so forth. The spambot node is not good enough to present itself with an MX record, and it is not good enough to speak the SMTP protocol as a proper e-mail server. Therefore, if you divide outbound from inbound, please add your MX record to the DNS of your outbound subsystem. It still is your outbound subsystem, with *a link* that points at your own inbound subsystem, where we can verify the sender. I understand that someone here would rather profit from the problem instead of writing an MX record. However, I believe that this tiny bit of netiquette would be sufficient to solve the problem, once and for all. In fact, the more recent DNS/DNSSEC records are not as widespread as MX, and are easily exploited by the spambots. ---
