David B Funk wrote:
On Mon, 27 Aug 2007, Marc Perkel wrote:
David B Funk wrote:
On Sun, 26 Aug 2007, Marc Perkel wrote:
If you have one MX and you create a fake low MX and a fake high MX (or
many fake high MX) about 75% to 95% of your spam goes away. It's that
simple.
How do you deal with the false-positives, legit servers that are blocked
by this configuration?
There aren't any false positives. That's what is so great about this trick.
I guess I didn't make my question clear enough;
How do you deal with mail from legit servers that are blocked by this
configuration?
(IE servers that for what ever reason will ONLY try the first mx, thus
failing to get past your fake MX.)
I ask this because a few years ago I had a mail setup that produced
something functionally equivalent (first MX had a ipfilter that returned
a tcp-reset for a large IP block to force them to fall back to my
secondary MXs to reduce load on the first).
Some of our users complained about missing messages from a local city
government office. Turns out that their server (which was OK) was routing
thru an 'intelligent' firewall and the brain-damaged firewall was only
letting the mail send out to the first MX of the destination address.
The mail server people had a legit configuration, it was the hardware
deployed by their network people which was the cause of the problem
and they were not willing to turn off their firewall. Their attitude
was "it works for everybody else, so your system must be broken".
Maybe -you- can tell your customers "Tough, I won't let you get mail from
senders with broken configurations" but when one of our departmental
execs calls and says "I'm not getting mail from government office Y"
my saying "Tough" is -not- an option. ;(
I could (in my massive amounts of spare time) keep poking more holes
in the filter to pass message from brain-damaged systems, but just
finding them in the first place is a head-ache.
I've not run into a single instance where a legit server only tried the
lowest MX. However, if I did there's a simple solution. If the fake
lowest MX points to an IP on the same server as the working MX then you
can use iptables to block port 25 on all IP addresses EXCEPT for the one
broken server. That would fix the problem.
