On 4 Aug 2003 at 12:24, Frank Knobbe wrote: > On Mon, 2003-08-04 at 10:57, Alex 'CAVE' Cernat wrote: > > if the virus send emails throught local smtp connection, it's a dns > > problem; > > but if the virus connects directly to the 'backup' smtp server, then, > > lamerish, the virus programmer probably believed that bigger value > > associated with mx meens 'prefered server', which is the exactly > > opposite as the rfc or any documentation available :-) > > > No, not necessarily. There may be setups where the mail > bagger does not include virus and spam scanners, thus > offering a chance of "getting in" undetected. I certainly see a lot of spam that targets my backup MXs explicitly. Sadly, it's an effective way for the spammers to bypass DNS Realtime Blackhole Lists for those domains for which the backup is contracted off-site. On my own backup MXs, I can configure the RBLs, but I cannot do that on my ISP's server (nor would I want them deciding for me what is spam). If the virus author meant to bypass virus-scanning, though, his attempt is (one hopes) misguided. All mail routed through the backups should spool through the primary before reaching any client, and the primary should do the virus scanning. > This is especially true if primary mail servers trust > secondary mail baggers explicitly (i.e. allow them to > relay regardless of recipient domain). If my primary trusts the secondary, I have a much more serious problem than receiving spam / virii. The combination becomes a multi-stage-open-relay. It will eventually be found by spammers and used to *send* spam, its IP block will wind up in the DNS RBLs, and I won't be able to send EMail at all. One should never trust a backup MX (even one's own). -- Pete Phillips -- San Antonio, Texas -- peteat_private --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 15:55:37 PDT