[Gllug] Rejecting mail at backup MX

Bruce Richardson itsbruce at uklinux.net
Wed Feb 11 13:00:47 UTC 2004


On Tue, Feb 10, 2004 at 08:36:15PM +0000, Alistair wrote:
> > Bollocks.  Show me the RFC that says this.  I'd be impressed if you
> > could, because the concept of a backup MX doesn't even exist in the RFCs
> > and this idea that "backups" shouldn't do X or Y is entirely arbitrary
> > and made up.
> 
> Very true, entirely arbitrary and made up for the simple reason that It Works.

The fact that you find it convenient gives you absolutely no grounds at
all to say to somebody else "I think you have understood what a backup
is for" or "You shouldn't be rejecting mail from your backup".  It's
tosh.

[snip irrelevant philosophy because this is the meat]

> > Why impose this arbitrary rule that does no good
> > but helps spammers and virus writers?
> 
> Exactly how does it help spammers and virus writers to have thier spew deleted 
> on a primary instead of a backup? It doesn't.

It bloody well does.  A mail system that is receiving mail directly from
a virus or spammer can impose checks that can't be imposed by a box
receiving mail from a relay.  You can detect and thus reject a higher
amount of illegitimate mail if all your mail exchangers are imposing
policy on incoming mail.  More importantly, you almost entirely
eliminate the problem of spurious NDRs, because you aren't accepting
illegitimate mail for delivery at all.

If, on the other hand, all but one of your mail exchanges is accepting
all traffic to your domains and leaving it to other systems to accept or
reject, not only are you wasting a lot of your own bandwidth but you
then *have* to spam a lot of innocent people with spurious NDRs, because
a) every message that you accept for delivery and then decline to
deliver is required to generate an NDR and b) you now have no way of
telling the spurious NDRs from the real ones.

> 
> Doing so considerably eases administration for me, though.

The fact that you don't want to do something doesn't make it a bad idea.
I put quite a bit of effort into ensuring that my mail systems rejecting
invalid mail while making sure that a) legitimate senders are informed of
rejections and b) we aren't spamming people with spurious NDRs about
spam and viruses that they didn't send.  It's only good citizenship,
given the amount of hassle that Sobig and MyDoom and spammers are
causing, not to add needlessly to the noise.  If you are happy to spam
people with useless NDRs there's nothing I can do to stop you but it's
not a position I can respect, particularly when you then start lecturing
people who are making and effort and telling them that they are wrong.

-- 
Bruce

Hummingbirds are the only birds that can fly backwards, apart from
ostriches if you punch them hard enough.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040211/b82f6a7a/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list