I have now signed up for a backup MX and DNS service at Rollernet.us – http://www.rollernet.us/

From their web site:

We offer the following configurable anti-spam options:

* DNSBL (with optional custom lists)
* Sender Policy Framework (SPF) (optional custom action handling)
* Greylisting
* Highly configurable blacklist and whitelist features
* Inline anti-virus filtering
* Configurable valid user list

A lot of this is available on a free account, and you can upgrade the full-featured account for US$35/yr. Not bad when you consider that for this price you can have more than one domain.

You’ll still get some spam of course, but a lot less.

Spammers often target the backup MX server directly. And apparently some go after the MX with the lowest priority (ie highest number in the MX record). So some people advocate having your real server as the highest and lowest priority MX – ie the mail server has two MX entries. I don’t know how effective this is.

I’ve noticed the same problem regarding backup MX’s and other situations. For example, I maintain an /etc/postfix/access file which reject’s certain addresses within a domain that I have a catch-all assigned to.

Of course, once the primary rejects with a 554 Access Denied, the sender sends to the secondary, where it rattles around for a while, eventually notifying the secondary MX’s postmaster of its inability to deliver it.

Luckily, I admin the secondary and was able to mimic the /etc/postfix/access file, but your point is very valid.