Loading ...
Sorry, an error occurred while loading the content.

186719Re: Possible SPAM mitigation trick

Expand Messages
  • Jorey Bump
    Nov 22, 2005
      Nathanael Hoyle wrote:

      > For now, I have gone with a somewhat different approach. I actually
      > have the primary MX listed as an IP that is a network boundary (and
      > therefore flatly unusable), the advantage I see is that the connect
      > attempt will fail notably faster than it would if it had to time out,
      > which reduces the burden on legitimate hosts, but is still just as
      > undeliverable, keeping the desired effect. I will post with further
      > results as I have the opportunity to observe them.

      I'm using a host that has no A record (NXDOMAIN) as the dead primary in
      some of my configurations. While it applies less of a penalty, it isn't
      RFC-compliant, so I'm not strongly recommending it:

      RFC 2181, 10.3. MX and NS records:

      This domain name must have as its value one or more address records.

      It's conceivable that someone would filter on this criteria (although I
      think it would be misguided, as long as there was a valid MX in the
      list). Many people filter on the presence of bogons, so avoid using
      these at all costs. Network boundary addresses come dangerously close to
      being easily identified as invalid, so be cautious with this approach.

      Wietse offered this advice in an earlier exchange:

      "If you're concerned about listing a primary MX record without valid
      A record, you could instead supply an IP address that immediately
      returns a TCP RESET. This could be done with a packet filter rule,
      or by giving a machine a second external IP address without an SMTP
      listener on it."

      Using a packet filter offers the opportunity for logging.
    • Show all 14 messages in this topic