David Woodhouse (dwmw2@???) said, in message
<1084786975.6607.6.camel@???>:
>
> On Sun, 2004-05-16 at 15:45 -0400, Stephen Gran wrote:
> > On Sun, May 16, 2004 at 09:39:32PM +0200, Raymond Dijkxhoorn said:
> > > Hi!
> > >
> > > What if your primary is unreachable for the sending host due to
> > > routing issues? You wanna drop those also ? I mean, its not ALL spam
> > > thats going to higher priority MXes...
> >
> > Not drop - defer. If I can reach the primary, and they can't, then
> > there is probably some transient routing problems between the two hosts.
>
> It's not necessarily transient. A lot of machines have permanent
> problems reaching hosts such as zeniiib.uk.linux.org with a .255 in the
> last octet of the IP address. And most of the Internet seems incapable
> of reaching the primary MX host for infradead.org too. :)
All this discussion has got me thinking of "yet another bad idea (tm)". What
if I were to run a secondary MX on an IP alias on one of my primary servers.
All mail attempted to this IP would be deferred at RCPT time (I should
mention that aber.ac.uk doesn't have a secondary mx at all at the moment).
Lots of people seem to say that spammers hit the secondary rather than the
primary on the basis that the checks are less stringent there. If I defer
that stuff, nobody gets hurt, but some of my spam might go away. The primary
should always be reachable when the secondary is (after all, it's the same
exim process that's handling it all) so no legitimate stuff should ever go
there. If it did, the temporary deferral should cause it to try the primary
again. So all I'm doing is blocking "secondary mx spam".
Better still, if I remembered the IPs that tried the secondary first, I
could feed that information into my spam scanning on the primaries - give
them a few spamassassin points or delay them or something.
So... what's the catch? I can't think of any...
Cheers,
Alun.
--
Alun Jones auj@???
Systems Support, (01970) 62 2494
Information Services,
University of Wales, Aberystwyth
