Rick Moen wrote:
Quoting James Harper (james.harper@bendigoit.com.au):
This "spam uses highest number MX" used to be a lot more common than it is now, to the point where you could exploit it by having a tertiary MX that always gave a "try again later" and the spambot would give up whilst having no impact on legitimate email.
I remember reading about this ploy a few years ago, and hoisted a mug in honour of whatever Right Bastardly sysadmin invented it.
Appreciate the news that the spam wars have moved on from spammer-using-highest-MX days. I've been not paying much attention to the latest skirmishes.
FYI, $ dig mx cyber.com.au +short 10 null-mx.cyber.com.au. 20 mail.cyber.com.au. 30 exetel.cyber.com.au. 40 tarbaby.junkemailfilter.com. First one has --dport smtp -j REJECT. Second is the "real" MTA, third is the same thing via backup DSL line. Fourth is a tarpit. That, greylisting and DNS RBLs are enough that I don't bother to parse message payloads (except for a few "problem" users, who get crm114).