Hi Danny, I don't think it's a false sense of security. The design was not perfect from a configuration point of view, not a security point of view. Internet facing hosts that accept anonymous inbound connections should never be located on the same security zone as core information assets. I pity the fool who thinks otherwise :)) Once I solve the update issue, the problem is solved. Actually, I have solved it, but need to complete the solution with a netsh script. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Danny [mailto:nocmonkey@xxxxxxxxx] > Sent: Tuesday, January 03, 2006 12:56 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How I spent my Christmas vacation > > http://www.ISAserver.org > > On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > No. The inbound SMTP relays are in a DMZ away from the core critical > > assets, such as Exchange, SharePoint and Active Directory. > > It appears as though you have created a false sense of security > because you have created a DNS DoS; your blog story is proof of this. > > > The relays accept mail only for my domains, [...] > > I would hope so! > > > and then scrub for viruses and spam. > > Don't forget to rinse after scrubbing. > > > While the LDAP queries would prevent this issue, I don't > consider the > > inbound relays as part of the same security zone as the Exchange > > Servers. Why? Because the spam whackers are 1. Internet > facing, and 2. > > must accept anonymous inbound connections. > > What threats are you trying to mitigate? > > My RFC-friendly general rule of thumb for mail servers is to only > accept email for recipients that exist! Google: email backscatter. > > ...D > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >