Matt wrote:
Just to clarify here.... You are talking about doing something like:
domain.com 1200 IN MX 10 smtp-1.domain.com
domain.com 1200 IN MX 50 smtp-2.domain.com
You all are saying that most of the spam should be coming in MX 50 right?
No, I'm saying most of the mail coming to the secondary (MX 50) is likely
to be spam in situations where the primary (MX 10) is accepting mail.
I have to admit I've tried this, but it seems like mail continues to
come into the MX 50 even when the primary servers are available. Is
it not correct that the 50 should NOT be tried until the 10 is
unavailable? Or do I have that backwards?
Legitimate mail servers follow the rule you describe; send first to the
primary, then to the secondary if the primary is unavailable. However,
there's no technical or other requirement that messages first be sent to
the primary. Spammers often ignore the primary and send directly to the
secondary in hopes that the back door has fewer restrictions.
Legitimate mail can show up on the secondary even when the primary is up
for reasons like congestion. If the primary is busy, the sending server
may time out and then try the secondary. For that reason, you cannot
assume that all mail on the secondary is spam, but a quick review of the
logs for the secondary will show that nearly all of it is spam. That's
why I give messages arriving at the secondary a high SA score, but not
one that is sufficient by itself to tag the message.
Peter