spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MX secondary problem?

2004-07-14 06:31:05
from [wayne] [Permanent Link] 
In <F1A11038-D556-11D8-896F-000393A56BB6(_at_)glyphic(_dot_)com> Mark Lentczner 
<markl(_at_)glyphic(_dot_)com> writes:


Yes, you are right.  Mail secondaries are only effective if all of
your mail servers, primaries and secondaries, all implement the same
policies regarding incoming mail.  Then you can trust what comes from
them.  If they have different policies (spam checks for example) then
you are only as safe as your weakest one.


I agree with everything Mark said here, but I'll add a story about a
friend of mine who had a secondary MX that *didn't* have identical
policies.

Earlier this year, some spammer decided to do a dictionary attack
against my friends domain.  All the email directed to the primary MX
was rejected with "user not found" messages, but all the email
directed to the secondary MX was accepted, then forwarded to the
primary, where it bounced.  (Of course, it bounced to random third
parties.  *sigh*)

The initial that this dictionary attack caused problem was the backlog
of messages being sent.  The spammer got through names from 'a' to 'd'
before my friend was able to shut down the secondary MX.

Well, you guessed it, my friend now gets several thousand attempts per
day to deliver email to invalid address, most of them with user names
in the range of 'a' through 'd'.  Yes, the spammer is stupid to
continue to try the same names that get rejected every day, but there
is nothing my friend can do about it.


I have run without a secondary MX since the late 90s.  I had warned my
friend several times about the dangers of using a secondary MX that
didn't have identical policies.  I told him to go visit
http://www.striker.ottawa.on.ca/ and learn what can happen when, for
some reason, a spammer thinks that a dictionary attack succeeded.


So, now my friend has to listen to me telling him "I TOLD YOU SO", but
worse, I colocate his primary MX on my network, so he feels guilty
about all the bandwidth this is costing me.  (Ok, it really isn't that
much, SMTP rejections happen pretty quickly, but still.)


Ok, now everyone here has been warned.

-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SPF TXT to English?, Paul Bissex
Next by Date:  Re: Are SPF fault tolerant ? How to make SPF records changed correctly ?, wayne
Previous by Thread:  Re: MX secondary problem?, Mark Lentczner
Next by Thread:  Re: MX secondary problem?, Koen Martens
Indexes:  [Date] [Thread] [Top] [All Lists]