On Mon, 27 Aug 2007, Marc Perkel wrote:
> David B Funk wrote:
> > On Sun, 26 Aug 2007, Marc Perkel wrote:
> >
> >> If you have one MX and you create a fake low MX and a fake high MX (or
> >> many fake high MX) about 75% to 95% of your spam goes away. It's that
> >> simple.
> >
> > How do you deal with the false-positives, legit servers that are blocked
> > by this configuration?
>
> There aren't any false positives. That's what is so great about this trick.
I guess I didn't make my question clear enough;
How do you deal with mail from legit servers that are blocked by this
configuration?
(IE servers that for what ever reason will ONLY try the first mx, thus
failing to get past your fake MX.)
I ask this because a few years ago I had a mail setup that produced
something functionally equivalent (first MX had a ipfilter that returned
a tcp-reset for a large IP block to force them to fall back to my
secondary MXs to reduce load on the first).
Some of our users complained about missing messages from a local city
government office. Turns out that their server (which was OK) was routing
thru an 'intelligent' firewall and the brain-damaged firewall was only
letting the mail send out to the first MX of the destination address.
The mail server people had a legit configuration, it was the hardware
deployed by their network people which was the cause of the problem
and they were not willing to turn off their firewall. Their attitude
was "it works for everybody else, so your system must be broken".
Maybe -you- can tell your customers "Tough, I won't let you get mail from
senders with broken configurations" but when one of our departmental
execs calls and says "I'm not getting mail from government office Y"
my saying "Tough" is -not- an option. ;(
I could (in my massive amounts of spare time) keep poking more holes
in the filter to pass message from brain-damaged systems, but just
finding them in the first place is a head-ache.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
