On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > No. The inbound SMTP relays are in a DMZ away from the core critical > assets, such as Exchange, SharePoint and Active Directory. It appears as though you have created a false sense of security because you have created a DNS DoS; your blog story is proof of this. > The relays accept mail only for my domains, [...] I would hope so! > and then scrub for viruses and spam. Don't forget to rinse after scrubbing. > While the LDAP queries would prevent this issue, I don't consider the > inbound relays as part of the same security zone as the Exchange > Servers. Why? Because the spam whackers are 1. Internet facing, and 2. > must accept anonymous inbound connections. What threats are you trying to mitigate? My RFC-friendly general rule of thumb for mail servers is to only accept email for recipients that exist! Google: email backscatter. ...D