From my observations we get more spam delivered to our secondary mail servers. To combat this we have made SPF very aggressive on our secondary mail servers, this has drastically reduced our spam intake. The danger of course is if our primary mail server goes down that real email will be rejected by the secondaries. So far however the benefits have outweighed the risks for us.
Potentially load balancing our primary mail server (or 2 MX records with the same priority sending mail to mail servers configured with the same SPF settings) would mitigate the risk further. -----Original Message----- From: Barry Murphy [mailto:barry(a)unix.co.nz] Sent: Tuesday, 15 January 2008 11:06 a.m. To: Glen Eustace Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Using nolisting to reduce spam Paradise did this by pointing the first MX to pop.paradise.net.nz which was not an MX server, it would then have the real MX listed as second priority. I beleive it would releave some spam bots, but from what I can tell (running greylist with 2 MX's) the spambots often go for the secondary MX first now days. The reason for this, generally a secondary MX would be your upstreams mail server, they would not have the same spam protection as your running, they would queue the email and deliver it to you, your mail server would have learnt to trust this host. Doubt it would stop much in my own opinion. Cheers B
Yesterday, I came across the concept of 'nolisting' as a technique for reducing the volume of inbound spam. It wasn't something I had previously come across so have done some reading on the topic. http://nolisting.org as a starting point.
For such a simple technique, I was surprised by its impact.
Simply speaking, the idea is to use a primary MX that doesn't listen on port 25 but simply rejects the connection. Well behaved MTAs will all try the secondary MX(es) and delivery will occur. Many spambots only try the primary so there is an immediately benefit, less inbound to check in other ways and a consequential increase in the available resources on the mail server(s).
I set it up on one domain and behavior seems to be exactly as described. My reading suggests that there is no negative impact on legitimate mail and no noticeable additional latency in delivery as the switch from the primary to secondary on a reject is almost instantaneous.
I was wondering whether anyone else has had any experience with this technique and if so whether the claim that it has no negative impact is true. Also, if people haven't heard of it, it may be something people might want to look at as another weapon in the anti-spam war.
Glen.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog