> Exim has a feature ignore_target_hosts which causes it to strip certain IP > addresses from the list of MX hosts for a domain. I use it to block all > abusive or unreachable MXs (listed below). This kicks in when Exim is > doing address verification at SMTP time, for example "sender verify fail > for <[EMAIL PROTECTED]>: all relevant MX records point to non-existent hosts" > > 0.0.0.0/8 # this net > 10.0.0.0/8 # RFC 1918 > 127.0.0.0/8 # this host > 169.254.0.0/16 # link-local > 172.16.0.0/12 # RFC 1918 > 192.0.2.0/24 # example net > 192.168.0.0/16 # RFC 1918 > 198.18.0.0/15 # benchmark net > 224.0.0.0/3 # multicast & reserved > > It would probably be good to augment this list with bogon or hijacked > address space, but then it would be more work to keep up-to-date.
I do something similar for some host-based firewalls; I just grab <http://www.cymru.com/Documents/bogon-bn-agg.txt> via shell script on a weekly basis and plug that bogon list into ipfw. At the moment that list includes: 0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 77.0.0.0/8 78.0.0.0/7 92.0.0.0/6 96.0.0.0/4 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 192.0.2.0/24 192.168.0.0/16 197.0.0.0/8 198.18.0.0/15 223.0.0.0/8 224.0.0.0/3 When I finally steal the time to set up my exim/SA filtering gateway I'll check out using that list for ignore_target_hosts as well. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "And the beer I had for breakfast Wasn't bad, so I had one more for dessert."
