Hosting Provided By

Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]

From: Marc Perkel <marc(at)perkel.com>
Date: Mon Aug 27 2007 - 15:59:42 EDT

David B Funk wrote:
> On Mon, 27 Aug 2007, Marc Perkel wrote:
>
>
>> David B Funk wrote:
>>
>>> On Sun, 26 Aug 2007, Marc Perkel wrote:
>>>
>>>
>>>> If you have one MX and you create a fake low MX and a fake high MX (or
>>>> many fake high MX) about 75% to 95% of your spam goes away. It's that
>>>> simple.
>>>>
>>> How do you deal with the false-positives, legit servers that are blocked
>>> by this configuration?
>>>
>> There aren't any false positives. That's what is so great about this trick.
>>
>
> I guess I didn't make my question clear enough;
> How do you deal with mail from legit servers that are blocked by this
> configuration?
> (IE servers that for what ever reason will ONLY try the first mx, thus
> failing to get past your fake MX.)
>
> I ask this because a few years ago I had a mail setup that produced
> something functionally equivalent (first MX had a ipfilter that returned
> a tcp-reset for a large IP block to force them to fall back to my
> secondary MXs to reduce load on the first).
> Some of our users complained about missing messages from a local city
> government office. Turns out that their server (which was OK) was routing
> thru an 'intelligent' firewall and the brain-damaged firewall was only
> letting the mail send out to the first MX of the destination address.
>
> The mail server people had a legit configuration, it was the hardware
> deployed by their network people which was the cause of the problem
> and they were not willing to turn off their firewall. Their attitude
> was "it works for everybody else, so your system must be broken".
>
>
> Maybe -you- can tell your customers "Tough, I won't let you get mail from
> senders with broken configurations" but when one of our departmental
> execs calls and says "I'm not getting mail from government office Y"
> my saying "Tough" is -not- an option. ;(
>
> I could (in my massive amounts of spare time) keep poking more holes
> in the filter to pass message from brain-damaged systems, but just
> finding them in the first place is a head-ache.
>

I've not run into a single instance where a legit server only tried the lowest MX. However, if I did there's a simple solution. If the fake lowest MX points to an IP on the same server as the working MX then you can use iptables to block port 25 on all IP addresses EXCEPT for the one broken server. That would fix the problem. Received on Mon Aug 27 16:00:27 2007

This message: [ Message body ]
Next message: Meng Weng Wong: "Re: SPF-Compliant Spam"
Previous message: Marc Perkel: "Re: SPF-Compliant Spam"
In reply to: David B Funk: "Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]"
Next in thread: David B Funk: "Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]"
Reply: David B Funk: "Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]"
Reply: Andy Sutton: "Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu Oct 25 2007 - 23:22:25 EDT