Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]

Andy Sutton wrote:
> On Mon, 2007-08-27 at 12:59 -0700, Marc Perkel wrote:
>
>> I've not run into a single instance where a legit server only tried
>> the lowest MX. However, if I did there's a simple solution. If the
>> fake lowest MX points to an IP on the same server as the working MX
>> then you can use iptables to block port 25 on all IP addresses EXCEPT
>> for the one broken server. That would fix the problem.
>>
>
> I think the question is how you would identify a FP occurred, short of a
> client screaming?
>

Clients screaming is that way the false positives are usually identified. I'm filtering 1600 domains and I've been doing this for almost a year and have yet to get a single report of a false positive. And when I screw up I usually hear about it.

All I can say is - it works for me. If you want to try something safer create some fake higher numbered MX records and return 421 errors on them and you'll get rid of about 1/3 of your botnet spam. And you'l be able to see in your logs how many hits you get.

The only way to determine if this works or not is to try it. Received on Mon Aug 27 17:47:53 2007