Re: Only 1 MX record?

Russ (SBITS.Biz) wrote:

I know I'm going to get Flamed by this post
But I really don't get it, I must be dumb?

People keep posting that backup records are a magnet to spammers.
And you are WILL get more Spam if you have one.

But IMO this would assume that you only use RBL's for your SPAM filters

No, it does not.

The reasoning is simple: secondary mail servers do not generally get the same level of administrative attention as primary servers. Therefore they have fewer anti-spam measures in place, and those that are are not as well-managed nor as comprehensive. Often, secondary servers are run by ISPs (and we all know what that means!).

..Additionally, primary servers usually have to miss out some anti-spam measures for mail that arrives from a secondary server (principally RBLs and SPF) as it's simply too late for them to be useful (RBL checking your secondary server is completely pointless!).

If RBL is your only Line of Defence for Spamming
Then yes, I'd agree that a Secondary Backup MX record can be abused
however?

I use IMF and Trend for spam,
In addition to RBL's

I notice No more spam that if I have MX records or no MX records.
I've tested this, turning off for a month and turning back on.

Can Someone explain how a Spammer can use a Backup MX record to bypass my Trend Anti Spam and IMF filter?

They principally rely on you screwing up. The secondary benefit for them is that even if you don't, you probably produce some backscatter as a side-effect (in the form of NDRs to non-existent senders).

Anti-spam measures such as SPF and RBLs work best when they can be done during the SMTP conversation. This is because you get to conserve bandwidth by dumping connections from bad guys without actual message transmission. Additionally, for genuine senders who happen to fall foul of excessively zealous RBLs or misconfigurations, they get normal rejection NDRs (from their own server(s) ).

If you apply SPF/RBL checks *after* message receipt, all you can safely do is dump the bad message and not send an NDR. This is ok for spam, but causes problems with false positives (you don't see the message, the sender doesn't get an NDR). Ideally, this scenario should use quarantining of messages rather than dumping them, but that adds to administrative/user load, and is therefore less than 100% reliable.

Other measures that look at the message content (AV checks, phishing site checks, bayesian analysis, etc) tend to be applied after the message has been accepted for delivery, and these have no problems examining and dealing with messages that are relayed through secondary servers. This is where the 3rd-party anti-malware tools (such as Trend in your example) normally get to work with messages.

Then there's directory attack email. Exchange (in line with many other mail servers) can restrict incoming mail to only known recipients at the SMTP level (and you can tarpit to protect against harvesting). But secondary servers are unlikely to be able to get at the directory to validate incoming addresses, and therefore must accept mail for all possible addresses. You may have an option to configure the secondary with a directory list, but that's again an increased administrative load (every time you manipulate your user list, you'll need to update the secondary).

Then we get to the big problem with this - if the primary is filtering by recipient at the SMTP level, and the secondary is not, the secondary server is (possibly) going to get tarpitted by the primary.


Because I really don't see it?

So we see.


And how this GUARENTEE's MORE SPAM?

No-one said "guarantee".


I'd really like this settled, I'm willing to learn the truth about this, but I'd rather have mail get delivered than not delivered.

It's primarily a case of really understanding how email works, in all its (near) infinite majesty, where (and what) the gaping holes in the design are, and how bad guys might exploit them.

The closest to 100% delivery you can get is: a) multiple MX servers, and b) no anti-spam measures of any kind. Those are about the only ways to be sure that any given message is delivered successfully.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.
.