Re: [exim] Defer as a spam filter

Marc Perkel wrote:

> Sort of a greylisting type trick. I define my highest MX record to
> point to an IP address that returns defer on everything. Many spammers
> hit the highest IP address first and never return. That gets rid of a
> tom of bad traffic. You can also have your highest MX point to a dead
> IP address. The only difference if if you want to see a count in your
> logs or not. And this trick is totally pain free.

We're currently using/testing this, but not with our regular
("important") domain since I believe that it is allowed to try the
highest MX (after failing with the others for instance) and stick to
that one on further attempts. Although affective, I'm afraid we could
lose mail from certain MTAs that behave this way.

One way this might work is by putting MTAs on a (temporary?) blacklist
or enable greylisting for them if the someone tries the lowest MX before
the highest priority one (if that one is tried at all). If the IP is one
the same box, this shouldn't happen.
At this moment we're just send a tcp-reset back so that clients don't
timeout and we log this in our firewall. It would be interesting (and
possible with exim) to try the second-IP and defer (and maybe
blacklist/enable greylist for the highest prio MX) instead of second-IP
and just reset like we do now...

Paul

P.S. Eventually spammers will know we do this of course, like they found
out that lower prio MX-es are often less protected.