Re: [anti-spam-wg@localhost] Anti-spam WG draft minutes RIPE 46

[Markus Stumpf <]

On Sat, Sep 06, 2003 at 09:47:32PM +0200, Petr Nachtmann wrote:
> Why to do something complicated when you cn do something simple? And don't
> forget about mailservers which cannot be prevented from being open relays
> (or whose administrators or suppliers aren't willing to fix it). You can
> just block any incoming SMTP traffic to that host from whole world except
> the seconrady MX servers. The hole is closed and the mailserver is even
> protected against this type of attack:

Isn't it unsocial to publish records in DNS (best MX) which will /never/
be reachable from the outside?
And as most braindead admins configure the firewall DROP and not REJECT
it is even more unsocial as the mailservers run in a (2 minute) timeout
each time they try to connect to the best MX.

If you have to filter a broken mailserver use a best MX to a working one
and a internal mailserver route to the final destination.

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"