preventing backscatter at the source

Julian Field MailScanner at ecs.soton.ac.uk
Sat Mar 29 15:29:47 GMT 2008 


Steve Freegard wrote:
> Mark Nienberg wrote:
>> Interesting.  A lot of spammers seem to send deliberately to 
>> secondary or teriary MXs instead of the primary even when the primary 
>> is up and running, in hopes of that it will not be as well protected.
>
> Yes - been doing that for years now.  It's a real pain if you use 
> DNSBLs  on the primary and the ISP secondary doesn't use any as the 
> secondary then becomes the source of all your spam which you can't 
> then reject via  DNSBLs as the connecting IP is the secondary.
I believe that SpamAssassin will check all the Received: headers, not 
just the IP address of the box that started the SMTP connection to your 
MX. But you can't do it in "Spam List =" settings.
>
> I don't advocate backup MXes at all any more, you might as well just 
> add another equal MX and configure it in the same way as the primary 
> and have it forward messages directly to the mail store.
I have 1 use for a backup MX (or 2 MXs in my case). Unless your primary 
MXs are *all* down, your backup MX should only receive spam (99% true). 
So it doesn't matter too much if your backup MXs cannot quite keep up 
with mail during the working day, as most people don't care much exactly 
what time their spam is deleted for them. So if some of your mail 
servers are old and relatively slow, setting them to be high-cost backup 
MXs is quie a good use for them. I have 2 MX records, one pointing to 
mx.mydomain.com and one pointing to backup-mx.mydomain.com. The 
mx.mydomain.com has 4 A records for it, which are roughly equal 
machines, nice and fast. The backup-mx.mydomain.com has 2 A records for 
it, which are roughly equal machines, but old and fairly slow.

This means that all the machines are working quite hard for the supper, 
but you don't get some of your real (wanted) incoming mail being held up 
for an hour just because it randomly happened to hit an old slow MX server.

The interesting bits of a "dig ecs.soton.ac.uk MX" produces this:

;; ANSWER SECTION:
ecs.soton.ac.uk.    3600    IN    MX    5 mx.ecs.soton.ac.uk.
ecs.soton.ac.uk.    3600    IN    MX    10 mxbackup.ecs.soton.ac.uk.

;; ADDITIONAL SECTION:
mx.ecs.soton.ac.uk.    3600    IN    A    152.78.71.14
mx.ecs.soton.ac.uk.    3600    IN    A    152.78.71.210
mx.ecs.soton.ac.uk.    3600    IN    A    152.78.68.132
mx.ecs.soton.ac.uk.    3600    IN    A    152.78.68.137
mx.ecs.soton.ac.uk.    3600    IN    AAAA    
2001:630:d0:f102:21e:c9ff:fe2b:9b4c
mx.ecs.soton.ac.uk.    3600    IN    AAAA    
2001:630:d0:f110:21a:a0ff:fe16:2a9e
mx.ecs.soton.ac.uk.    3600    IN    AAAA    
2001:630:d0:f110:21e:c9ff:fe2b:a7d5
mx.ecs.soton.ac.uk.    3600    IN    AAAA    
2001:630:d0:f102:21a:a0ff:fe14:ab9d
mxbackup.ecs.soton.ac.uk. 3600    IN    A    152.78.71.84
mxbackup.ecs.soton.ac.uk. 3600    IN    A    152.78.68.178

And yes, I know there currently aren't any IPv6 mxbackup machines :-)

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list