Re: smtp redirection

[Geoff <leboldug () POST QUEENSU CA>]

John wrote:
> For those of you who redirect email to an anti-spam device; how are you
> doing this redirection and how are you dealing with the spammers who
> circumvent the MX record approach?

We've blocked all inbound 25/tcp, except to a few trusted boxes, for
many years. We have one external MX for most departmental servers. we
also have a Barracuda cluster for our servers and others who want this
kind of service. The generic MX has clam and basic spamblocks on it.
Spammers can't circumvent anything this way.

Blocking SMTP at your border is the correct way to go. Someone will
accidently configure an open relay. We have some arms length groups (
about 3 ) that want 25/tcp open, so we do it, but we watch.

> Before changing MX records I set a route map on a router to redirect
> smtp traffic to the Meridius but the IP destination headers did not have
> the Meridius address so the appliance dropped the traffic. We run a
> public class B and do not do NAT.

We are also a class B and do not NAT.

Advertise a date for the change. Shorten the DNS TTLs. On that day
change the MXs and then block the 25/tcp. Set the TTLs back to normal.

You will experience a few external sites that will have trouble sending
to you. These will all be badly configured MS Exchange servers that
can't cope with MX records. They'll want to be able to connect to the
destination IP SMTP port directly. When you speak with their mail admin,
you'll find they have no concept of what an MX record is. RTFM is the
correct advice to them.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.