Nathanael Hoyle a écrit :
>
> I liked Jorey's idea enough to give it a shot. Actually implemented it
> yesterday. I debated about having the 'dead' MX host point at a system
> which dropped the requests but logged them (via iptables or similar),
> not so much to see how much legitimate email made it through (which
> seems to be pretty much all of it so far), but to see how much nasty
> traffic hit the primary 'dead' host that failed to retry on the second.
> For now, I have gone with a somewhat different approach. I actually
> have the primary MX listed as an IP that is a network boundary (and
> therefore flatly unusable),
what do you mean here?
the advantage I see is that the connect
> attempt will fail notably faster than it would if it had to time out,
> which reduces the burden on legitimate hosts, but is still just as
> undeliverable, keeping the desired effect. I will post with further
> results as I have the opportunity to observe them.
>
... what do you mean here? the advantage I see is that the connect...
mouss
usebsd@...
Nov 22, 2005 6:26 pm
... I'm using a host that has no A record (NXDOMAIN) as the dead primary in some of my configurations. While it applies less of a penalty, it isn't ...
Jorey Bump
list@...
Nov 22, 2005 6:40 pm
Guys, This is what I've setup: fauxmx01.plusone.com MX 10 (fake MX, non-responding <network> IP) nymeta01.plusone.com MX 20 (real MX) nymeta02.plusone.com MX...
Covington, Chris
Chris.Covington@...
Nov 22, 2005 9:59 pm
... no, this is different than GL: here, every host (legit or not) will try MX1, then if compliant, will try MX2. legit systems are thus somewhat penalized. In...
mouss
usebsd@...
Nov 23, 2005 1:20 am
... The theory behind GLing is that direct-to-MX clients won't retry, so if they time out at the primary MX or at the lowest-value MX that might be just as...
Covington, Chris
Chris.Covington@...
Nov 23, 2005 3:50 pm
... It's important to note that both methods exploit the lack of RFC-compliant behavior common to malware, albeit using completely different approaches....
Jorey Bump
list@...
Nov 23, 2005 4:51 pm
[...] ... Problem is that most low end "users"/mail administrator that handle only 3 or 4 mailboxes are mostly ignorant of the deal and the responsability ...
Xavier Beaudouin
kiwi@...
Nov 23, 2005 5:21 pm
... "most" is an understatement. ... How true. ... Instead, I've taken a different approach. I allow my customers to have ALL of my spam filtering, or NONE of...
Mark Nernberg
mark@...
Nov 23, 2005 7:09 pm
... The IP is a network boundary address. i.e., if it were a class C network (/24). the address would be x.x.x.0, rather than 1-254 or broadcast (255)....
Nathanael Hoyle
nhoyle@...
Nov 22, 2005 6:40 pm
... Oh yes it can. Your broadcast address is meaningful only for hosts on your subnet. Your broadcast address has no meaning for hosts on other subnets. Assign...
Wietse Venema
wietse@...
Nov 22, 2005 7:05 pm
... If you would please note, I used the bottom end network boundary, not the top-end broadcast address. To my understanding, this would be accurate in...
Nathanael Hoyle
nhoyle@...
Nov 22, 2005 7:09 pm
... It does not matter. The all-bits-0 (old broadcast) and all-bits-1 broadcast address have meaning only for hosts on your own subnet. The all-bits-0 (old...
Wietse Venema
wietse@...
Nov 22, 2005 7:19 pm
... - We live in CIDR. so remote client don't care. - broadcast and network addresses are valid (try a ping). so as Wietse says, packets will timeout, unless...
mouss
usebsd@...
Nov 22, 2005 7:25 pm
... The remote system has no idea how your network is subnetted. so the failure will mostly be caused by a routing error (no route to host) generated in your...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Send Email