David B Funk wrote:
On Mon, 29 Jan 2007, John Rudd wrote:
It doesn't have to be firewalled. It just has to be non-answering on
port 25. It's called "nolisting".
I've thought about doing something similar. Nolisting only says:
MX 1 non-answering.host
MX 10 real.host
But adding the non-answering host to the end seems like a good idea to
me (for all of the spammers that try to attack the secondaries).
There IS a risk of losing mail. But only if the sender is a non-RFC
compliant MTA. Which, in theory, might be legit.. but I bet in
practice, for this particular RFC issue, it's a near zero level of risk.
Um, given that the RFCs (2821, etc) say that the MXs should be tried in
order with the most preferred (lowest numeric value) first, wouldn't
that scheme result in delays on all messages (as well as lost mail from
servers that only try the "best" MX)?
Why make your "best" MX be the non-answering.host?
Yes - it does cause a delay - but it's only a few seconds. The delay is
shorter than most greylising methods on new email or delays some
deliberately program in. The reason to do it on the lowest and highest
mx is that spammers don't like to retry (lowest MX) and that some
spammers try to go in te back door first (Highest MX).
