Is anyone else seeing this?

[mikea]

On Mon, May 19, 2003 at 09:39:10PM +0100, Julian Field wrote:
> At 21:30 19/05/2003, you wrote:
> >I've noticed that a lot of the Fizzer / Palyh viruses coming into our
> >site seem to be arriving via our secondary /tertiary MX.  I'm not overly
> >worried - only about 2% of my total mail is coming in that way (and I
> >know a lot of spam takes that route) - but most of the Fizzer / Palyh
> >viruses do.  Is it just me?
>
> It's a standard spammers trick. Target your lowest priority MX with spam in
> the hope that it won't be as well set up as your primary MX. Quite often
> the lowest MX is run by your ISP and will relay just about anything for any
> of their customers. Always take care that your lowest MX is as tight as
> your highest MX.

One trick I've seen recommended in a couple of the sysadmin-oriented
lists I'm on is to have your primary MX as the your lowest-priority
MX as well:

foo.example.com.        IN      MX      1       example.com.
bar.example.com.        IN      MX      10      example.com.
foo.example.com.        IN      MX      99      example.com.

or some such.

That way, the ratware winds up using your primary MX, no matter which
end of the MX list it picks from. This is good until the ratware
writers start writing code to pick randomly or from the middle of the
MX list.

--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin since 1964