Anti-spam measures
Miquel van Smoorenburg miquels at cistron.nl
Mon Jan 12 14:08:11 CET 1998
According to Janos Zsako: > > What I think as the best solution is to patch sendmail > > to check from the name service if we really are in the > > mx list for the incoming mail. We have been doing that for half a year now, and it works fine. > The idea is good indeed. I am, however, somewhat concerned about > the following potential dangers: > > 1. The DNS can contain bogus info (including MX records). Well if the MX record is wrong, you won't get any email anyway. > 2. You could be a victim of a malicious setup. For example, the primary > of foo.domain puts an MX to one of your hosts protected in the way you > suggest. When the secondaries have updated the zone, you get a large > number of spam destined for foo.domain. Your resources may be abused, > and you can even suffer a DoS. (At the same time, foo.domain may even > filter out SMTP connections from you, to make sure *his* resources are > not wasted...). So they setup their *own* nameserver to spam their *own* domain using you as a relay? Not very likely.. No, the real problem is when a MX is moved to another host. Cached MX records on other nameservers will cause the mail to be sent to the old MX, which doesn't accept it anymore. This _can _ cause bounced email if you are not careful (like lowering TTL 1 day before the tranfer, etc) Mike. -- Miquel van Smoorenburg | The dyslexic, agnostic, insomniac lay in his bed miquels at cistron.nl | awake all night wondering if there is a doG
[ lir-wg Archives ]