On Mon, 13 Nov 2006 20:45:02 -0600, "Aleksandr V. Galiyev"
<radio@???> wrote:
> Everything was running just fine, until I added second PRI=20 MX for
> one of my domains - pointing to my secondary mail server.
>
> Secondary mail server is running on Windows and used only for MX
> backup purposes. Simple saying - just receiving mail and sending it
> to my primary mail server. (Argosoft Mailbag).
>
> After running with the above configuration for about 24 hours - I
> got tons of SPAM and every single spam message was received by my
> secondary mail server.
That's common behavior. A lot of spammers expect secondary servers to
have less stringend anti-spam measures and deliver there without even
trying the peimary.
> Tracing on the spam messages:
>
>===================================================
>Received: from [172.30.111.14] (helo=eros.xxxxxxxx.net)
> by www2.xxxxxx.net with esmtp (Exim 4.63 (FreeBSD))
> (envelope-from <todd6@???>)
> id 1GjnnX-0001Ef-RO
> for radio@???; Mon, 13 Nov 2006 20:13:19 -0600
>Received: from [87.240.34.217] by eros.xxxxxxx.net with SMTP (HELO localhost.localdomain)
> (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.5)); Mon, 13 Nov 2006 20:11:27 -0600
>===================================================
>
>172.30.111.14 is my secondary mail server.
>87.240.34.217 is black listed sender.
>
>I got exactly same message from the same IP (87.240.34.217) on my primary mail server which sure got rejected.
>
>Any suggestions please?
Implement anti-spam measures on the secondary server.
>
>I'm using exim with vexim configuration.
>
>===================================
>www2# cat vexim-acl-check-rcpt.conf
># deny hosts = ! +relay_from_hosts
># condition = ${if eq {${lookup mysql{select count(*) from domains \
># where domain = '${quote_mysql:$domain}' \
># and spamassassin='1'}}}{1} {yes}{no}}
># !acl = spf_rcpt_acl
>
> deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
> dnslists = bl.spamcop.net:cbl.abuseat.org:dnsbl.sorbs.net
>===================================
>
>172.30.111.14 was NOT configured as trusted host anywhere.
But 172.30.111.14 is not blacklisted. And exim looks at which server
the message was directly received from.
Spamassassin honors IP addresses found in Received:-Headers as well,
but running Spamassassin or a different anti-spam measure on the host
that directly receives the message from the Internet is going to yield
_FAR_ better results.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
