Marc Perkel wrote:
Let me clarify something about using bogus MX records. Let's assume
the following.
bogus0.domain.com - MX 10
real.domain.com - MX 20
backup.domain.com MX 30
bogus1.domain.com MX 40
bogus2.domain.com MX 50
The host bogus1 and bogus2 are 100% safe and effective. The bogus IPs
can be dead on port 25 or can return 421 and let it retry. The 421
will let you log hits if you want to see it working.
The bogus on the low end is trickier. What you have to do there is
firewall off port 25 to almost everyone. You can't do a 421 error
because it breaks Qmail servers. Qmail won't retry higher numbered MX
records after seeing a 421 but will try if the port is closed.
But then you are adding a useless connection to every MTA out there. if
you want to avoid this, you need to whitelist legitimate MTAs (MTAs from
which you got ham or that you decided to whitelist before receiving mail
from) and this whitelist is to be used on the firewall (which may be
feasible/acceptable depending on what FW you use). also, care is to be
taken for MTAs that send from pools with different IPs.
while this may be "usable", it's not something I would embark on without
a serious cost/benefit analysis...
Because there is occasionally some server doing something very weird
you might have to open up port 25 one some specific IP who is running
something really dumb. I think I've had to do this only once or twice.
But once you open up port 25 to the problem user you solved the problem.
For the most part if you do an MX sandwich as above you'll get rid of
80% of your spam and not lose good email. If you are fearful of going
all the way then just do the higher numbered MX and leave the bottom
as is.
