Problem: Several Wedge Networks BeSecure appliances were installed to handle spam filtering due to load issues on the MX server cluster. Apart from providing better prices on licenses for commercial-grade spam filtering software, the appliances made it possible to scale spam filtering capacity separately from MX capacity, which was desirable because the resources needed for spam filtering had undergone rapid changes in the recent past, while legitimate mail remained relatively steady.
Unfortunately, while IP transparency was planned for future versions of the BeSecure software, it was not available for the initial rollout. This rendered SPF ineffective, because SPF uses the originating IP address of a connection to decide whether or not the remote server is permitted to send mail on behalf of a domain. Without this capability, spammers were exploiting the mail servers to send bounce-spam. The mail servers were listed on several blackhole lists, and the resulting problems in delivering messages caused their queues to grow very large. Therefore, we needed an interim solution until IP transparency became available.
Solution: We worked with the BeSecure team to devise a protocol for the BeSecure appliances to communicate the originating IP address to the mail servers. This was done by means of a custom header added to each message on its way through the filter. The BeSecure appliances were updated to include this header, and a plug-in was written for the mail servers, allowing them to parse the header and drop messages in violation of their domain's SPF policy.
Due to resource constraints, care had to be taken to ensure that the SPF plug-in did not buffer the messages, as this would be very disk I/O intensive if tempfiles were used, and would have a large impact on memory usage if it were done in memory. Instead, the plugin skims needed information out of the message on its way through to the next stage of the delivery process. If SPF policy dicates that the message be dropped, this decision can be passed on before full delivery is attempted.
Result: SPF was fully functional again. The mail servers were de-listed from the blackhole lists, and the mail queues were reduced to manageable levels.