At 03:09 6/11/2004, Goesta Smekal wrote: >I do a similar thing for two months : Every mail reportet to be infected >gets a >second treatment: > >* look for originating IP (of SMTP envelope, _not_ headers) >* resolve its domain >* get the MX for that domain >* if the IPs are not equal, block the host, since it is an infected, non MX >host. > >This approach works _very_ fine (not a single complain ever since, opposed to >three complaints due to RDNS check, which started the same time) the SMTP load >actually is _reduced_ and the "SNDRIP=EIPSPAM" is constantly rising :-) >.... and >of course the virus/day rate is sinking.
This will break rather spectacularly on some larger ISP traffic, since many larger ISPs (AOL, RoadRunner, Comcast, a number of others) do not send their mail from the same machines which receive it. MX records are for machines that receive mail - while a *lot* of places also send mail from the same machines, a lot of places (especially high volume sources of mail) do not. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
