Daniel wrote:
> I have two mail servers. The primary is here in our office, the
> secondary in our NOC just in case our primary pipe goes down. The
> thing is, even if the primary is up and working, the secondary server
> gets an awful lot of mail -- nearly all of it spam as best I can tell.
> Most of it, if it's to an existing user, is accepted because we don't
> have any anti-spam stuff installed yet, but it's the following log
> entries that have me concerned.
>
> Below you'll find what appears to be an attempt by someone in russia
> pretending to be from someone else in russia sending stuff to users
> that don't exist in our system. The secondary server appears to be
> bouncing these mails back to the fake sender -- obviously something
> Bad, but I'm not sure how to stop it as it all looks legit.
> Suggestions?
>
>
>
You need spam filtering on the backup server as well. There are a number
of tricks you can do to reduce spam on the backups. A lot of spammers go
for the highest MX first because the backup servers often don't have
spam filtering.
I have 3 layers of MX records. My highest one always returns DEFER just
to keep me from having to process the spam. That in itself will cut your
spam quite a bit, Also use the various block lists like spamhaus.
Anyhow - one of my tricks. Create a third MX that is higher than the
other two. Then add this ACL
defer log_message = Spammer Connected to FAKE highest MX record
condition = ${if
match{$interface_address}{69.50.231.7}{true}{false}}
then add this:
# --- Look up in a few choice primary blacklists. Must be after
authenticated tests.
drop message = REJECTED - ${sender_host_address} is blacklisted at
$dnslist_domain ($dnslist_value); \
See ${dnslist_text}
dnslists =
sbl-xbl.spamhaus.org/<;$sender_host_address;$sender_address_domain