Virus and spam ignores MX records
Viruses and spammers will quite often ignore MX records.
The reasoning is that virus and spam checking happens at the point where the network meets the outside world.
But when there are two or more e-mail servers, and only the frontline server has virus and spam checking, then the users on the network are unprotected if the bad guys figure out how to access a machine that isn’t supposed to receive mail from the outside world.
I don’t know how they do it. I mean, some companies bleed that information via DNS records. But what if they don’t? Hmmm… If any of you know how they do it, please share.
I’ve heard say that you should have virus checking on your secondary server as well as the primary.
Or… firewall off port 25 on your pop3 server, leaving the bad guys the choice between NOT spamming you, or spamming the protected server.
September 19th, 2005 at 5:07 pm
Usually the Spammer uses the backup MX, meaning the MX with the hihgest “number”, e.g.
example.com. IN MX 30 viruscheck-mx.example.com.
example.com. IN MX 80 dumb-mx.example.com.
The spammer picks dumb-mx.example.com.
September 20th, 2005 at 12:59 am
Except in one case I saw, the misused server wasn’t in the MX records. Maybe they were once upon a time, but not anymore at least.
September 22nd, 2005 at 3:43 am
I have seen such behaviour a few years ago, I recommend having exactly the same configuration (blacklists, whitelists, body patterns etc.) on primary and backup MXes. The primary MX should have it’s backups whitelisted to avoid unnecessary DSNs sent to the forged sender adresses - such behaviour is even worse than having a virus! Many lame postmasters don’t know that there should be postmaster@ and abuse@ email adresses for every domain they have (and they must be whitelisted) to be able to contact them.