Re: How I spent my Christmas vacation
- From: Danny <nocmonkey@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 3 Jan 2006 13:56:25 -0500
On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> No. The inbound SMTP relays are in a DMZ away from the core critical
> assets, such as Exchange, SharePoint and Active Directory.
It appears as though you have created a false sense of security
because you have created a DNS DoS; your blog story is proof of this.
> The relays accept mail only for my domains, [...]
I would hope so!
> and then scrub for viruses and spam.
Don't forget to rinse after scrubbing.
> While the LDAP queries would prevent this issue, I don't consider the
> inbound relays as part of the same security zone as the Exchange
> Servers. Why? Because the spam whackers are 1. Internet facing, and 2.
> must accept anonymous inbound connections.
What threats are you trying to mitigate?
My RFC-friendly general rule of thumb for mail servers is to only
accept email for recipients that exist! Google: email backscatter.
...D
Other related posts:
