Re: Barracuda Spam Filter

["Jamie A. Stapleton" <jstapleton () COMPUTER-BUSINESS COM>]

Well, there have been lots of comments.  ;-)

Basically, if you leave port 25 open on IP 65.209.95.165, spammers will
eventually find and exploit it.

Please call me if you have any questions.

Jamie
804-412-1601

-----Original Message-----
From: Charlie Prothero [mailto:Charlie.Prothero () KEYSTONE EDU] 
Sent: Tuesday, July 26, 2005 6:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Barracuda Spam Filter

Hmm.  This morning, I thought I had a good handle on this.  Now, I'm not
so sure...

Our MX records look like this:

                IN      MX      1 ms4.tcnoc.com.
                IN      MX      10 ms5.tcnoc.com.
                IN      MX      20 mercury.keystone.edu.

Mercury is our mail server (MS Exchange), and the first two are
Tangent's spam filtering machines.  My understanding had been that once
we were up and running on the Tangent service, we were supposed to
remove our mail server's MX record, leaving Tangent as the only route to
our domain for incoming mail.  Outgoing mail continues to be sent from
Mercury, which has an A-record in our DNS.  Are there problems with this
arrangement?

- Charlie.

-----Original Message-----
From: Graham Toal [mailto:gtoal () UTPA EDU]
Sent: Tuesday, July 26, 2005 2:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Barracuda Spam Filter

Jamie A. Stapleton wrote:

> 6.  Knowledge.  These people don't appear to know what they are doing.
> They left mercury.keystone.edu (with IP address 65.209.95.165) as an MX

> record.  Any spammer can find this and attack it without effort.  (See
> below.)
>
> 220 mercury.keystone.edu Microsoft ESMTP MAIL Service, Version:
> 5.0.2195.6713 ready at  Tue, 26 Jul 2005 09:24:36 -0400
>
>  
there's actually an understandable reason for that.  Many mail systems
by default will only accept (deliver) mail for which they are the
lowest-valued MX,

so by
leaving the final destination mailer listed (with the lowest value,
which I hope this was), they don't impose a competancy requirement on
the clients to reconfigure their mailer to be the delivery mailer for a
domain which does not MX to

them.

However it equally does impose a competancy requirement that they either
configure their mailer to accept mail from *only* the higher-valued MX
hosts,
*or* get their networking people to block them at the firewall.  Either
of those is entirely reasonable (we block at the firewall ourselves),
but the downside is that the lowest-valued MX never responds and senders
always have a delay while backing off to the next lowest value.

This may not be quite as bad as it sounds though, because a significant
number of spammers will back off at that point and you'll never see
their spam, much like an accidentally implemented grey-listing :-)

G