I’ve been reading up on the topic of greylisting and the techniques behind it and found out that it doesn’t quite work if you have a backup MX mailserver that does not have the same policy as your primary server. That is the situation I’m in and I think most of you as well.
If you have greylisting implemented on your primary server any email arriving will be checked against a stored list of previous encountered mailservers and mailadresses. If the combination is not known the sending mailserver will be asked to try again later. Most spammers will leave it at that. If you have received an x amount of mails from the same mailserver and mailaddress that combo will be whitelisted and always accepted directly.
The problem with backup MX servers is that they will be whitelisted and you need to accept all mail from that server because it will keep trying (as it is intended to do) ! If you don’t have control over the backup MX server and they don’t have a greylisting policy like you have or don’t do spamfiltering you have a backdoor that is wide open for spammers.
Read more on the subject in this whitepaper which describes it all in more detail.
Before we can use/implement greylisting we need to turn of our current backup MX and find someone else who will use the same policies and will want to be our backup MX, or just live without a backup mail server…
I would like to know your thoughts on this. What can I/we do to work this out ?
- No related posts
November 30th, 2006 at 4:35 am
Hey Richard,
I’ve noticed the same problem regarding backup MX’s and other situations. For example, I maintain an /etc/postfix/access file which reject’s certain addresses within a domain that I have a catch-all assigned to.
Of course, once the primary rejects with a 554 Access Denied, the sender sends to the secondary, where it rattles around for a while, eventually notifying the secondary MX’s postmaster of its inability to deliver it.
Luckily, I admin the secondary and was able to mimic the /etc/postfix/access file, but your point is very valid.
December 3rd, 2006 at 4:11 pm
Richard, I’ve had the same problem with my mail setup for ages now. Almost all email goes through the backup MX. We have always used our ISP as the backup MX. Unfortunately they do absolutely not spam filtering.
I have now signed up for a backup MX and DNS service at Rollernet.us – http://www.rollernet.us/
From their web site:
We offer the following configurable anti-spam options:
* DNSBL (with optional custom lists)
* Sender Policy Framework (SPF) (optional custom action handling)
* Greylisting
* Highly configurable blacklist and whitelist features
* Inline anti-virus filtering
* Configurable valid user list
A lot of this is available on a free account, and you can upgrade the full-featured account for US$35/yr. Not bad when you consider that for this price you can have more than one domain.
You’ll still get some spam of course, but a lot less.
Spammers often target the backup MX server directly. And apparently some go after the MX with the lowest priority (ie highest number in the MX record). So some people advocate having your real server as the highest and lowest priority MX – ie the mail server has two MX entries. I don’t know how effective this is.