Andy Sutton wrote:
On Mon, 2007-08-27 at 12:59 -0700, Marc Perkel wrote:
I've not run into a single instance where a legit server only tried
the lowest MX. However, if I did there's a simple solution. If the
fake lowest MX points to an IP on the same server as the working MX
then you can use iptables to block port 25 on all IP addresses EXCEPT
for the one broken server. That would fix the problem.
I think the question is how you would identify a FP occurred, short of a
client screaming?
Clients screaming is that way the false positives are usually
identified. I'm filtering 1600 domains and I've been doing this for
almost a year and have yet to get a single report of a false positive.
And when I screw up I usually hear about it.
All I can say is - it works for me. If you want to try something safer
create some fake higher numbered MX records and return 421 errors on
them and you'll get rid of about 1/3 of your botnet spam. And you'l be
able to see in your logs how many hits you get.
The only way to determine if this works or not is to try it.
