Marc Perkel wrote:
Kai Schaetzl wrote:
Duane Hill wrote on Sat, 25 Aug 2007 22:29:50 +0000 (UTC):
What happens if the remote MX is within a private IP range? Should I
accept that message, knowing fully, the recipient would never be able to
respond?
This feature looks fine on first glance, but on second I think this is
dangerous if it gets applied to all MX positions. For instance the two MX
setup where one machine is behind a firewall and a gateway machine is first
MX and forwards to the machine behind the firewall. This is an accepted
setup. Couldn't I achieve the same thing without a firewall? The first MX
gets another IP from a private range and the second is on private only. So,
it's not reachable from outside, but the first MX can forward to it.
"backup MXs (that don't exist)" doesn't mean a private range. You simply
set it to an IP that doesn't have SMTP or one that points to nirvana, but
still a valid public IP address.
I don't use that technique and don't think I will need to use it in the
near future, but I can't see anything bad in it, sorry. As John says only
spammers or broken MTAs should have a problem with that.
I also agree on SAV with John, it's almost as worse as challenge-response
mechanisms.
Kai
If you have one MX and you create a fake low MX and a fake high MX (or
many fake high MX) about 75% to 95% of your spam goes away. It's that
simple.
I've been following this discussion across all the threads. Mark's ideas
are certainly out of the box, and some have merit, maybe all have merit.
But I can report that depending on the client, some of the ideas would
get me fired within a week, they would certainly get my client's howling
into the phone. This is one such idea.
While this idea sounds good, and it may work for you, it won't work for
us. Unfortunately there are an abundant number of what I like to call
"shrink wrap admins". They convince the PHB they can save money, save
time, do cool things with their Blackberrys, if they manage their own
mail server in house. So they pull a beige PIII out from under a desk,
open the MSE box, insert the CD, and before the shrink wrap stops
un-wadding itself on the floor they are already goofing up mail to my
servers (my clients). Of course, it's my fault when that happens 8^(
Examples, though they may not be relevant to the discussion, they are
examples of why we cannot block mail using some of the more common or
creative techniques.
1) I see thousands of corporate email connections a day from
<[EMAIL PROTECTED]>, bad helo is not always a good indicator
of a bot/spam/zombie.
2) Many of our client's do a lot of email with businesses that have a
mail server running on a static cable IP that still has a dynamic
reverse DNS. RDNS is not a good indicator of the legitimacy of a message.
3) We also have plenty of entries in our whitelist for greylisting,
because the other server can't handle a temp fail.
4) I'll say it again though a lot of people have told me I am crazy, I
see instances often of MS caching DNS for weeks at a time. The stupid
server will only try to send to one IP, over, and over, and over. Some
times that IP is only one of our MX's. We finally call them and insist
they reboot their server. Then wala, it works. I dread taking down a MX
for maint, even when the DNS has been expired for a month in advance.
I hate spammers, hate 'em, hate 'em, hate 'em. They should be run out of
town on a pole. A pole carefully located with a great deal of force.
DAve
--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?
Maybe they forgot who made that choice possible.
