Hi,
This is what I did to flag spam that goes to the Highest MX server
without having a secondary MX.
First you need a different valid IP address for you SMTP, lets say
20.43.15.256. ;)
Add this ip as an alias to your network interface.
# /sbin/ip address add 20.43.15.256/24 brd + dev eth0 label eth0:mx2
Give the IP address a valid hostname and register it as MX.
....
@ IN MX 10000 mx2.domain.
mx2 IN A 20.43.15.256
...
Not forgetting the reverse:
---
256 IN PTR mx2.domain.
---
And pumping the serials.
Now add a custom header in the SMTP to find which ip address was used.
In the case of sendmail this will do in a mc file:
-----------
dnl Custom Headers
LOCAL_CONFIG
HX-Name-Your-Header-Here: ${if_addr}
--------
At this point you will have a fake high MX and the messages will be
flagged by the ip used on the connection.
Now write your rule:
-----
header MX_TRAP X-Name-Your-Header-Here =~ /20.43.15.256/
describe MX_TRAP Message sent to the MX trap
score MX_TRAP 4
-----
Of course, adjust the score accordly. After much testing, I never got a
HAM in the high MX.
In case you want to monitor what is being flagged, if you use procmail,
you can try:
------------
# High MX trap
:0 c
* ^X-Name-Your-Header-Here: 20.43.15.256
/path/to/somewhere/mx2.mbox
-----------
This will create a copy of every hit in the high MX even if not using SA
to catch it yet. So you may decide on how to proceed after checking it
out with some MUA, like mutt.
This is not the most elegant solution. As this accomplished what I
needed I stopped here. A better solution would be to write a plugin
that could check the high mx ip via Net::Dns for example (something like
WrongMX does). however after taking all non SA steps, the hand made
rule is faster.
-Raul Dias
