Stopping Spammers Who Exploit Secondary MX?

drteknikal asks: "I'm the admin for a small law firm. We use our ISP as our secondary mx. We are receiving spam from our secondary mx even when our primary has been continually available. We suspect that spammers are routing to our secondary MX to bypass the DNS-based spam filtering on our primary. After examining some of the traffic, our ISP agrees. Neither of us sees an immediate solution, given the purpose and function of secondary MX. They already restrict relaying to hosts on their network. Has anyone else seen this? Does anyone have suggestions on how an ISP could secure their mail exchangers without interfering with the functionality required to function as secondary MX for an external domain?"

Re:Secondary MX are often unneccessary.

[menscher]

Yes, one is enough for a small site that doesn't care much about not losing any incoming email. But for a more serious site, it's necessary to have a backup. Here's why:

Let's say you have some scheduled downtime of your main server. Let's imagine that the downtime lasts more than four hours. Do you want all the senders to get delay notifications?

What if the downtime is worse, due to a total disk failure, for example. It could easily take more than a day to get back online. Many sender systems won't keep trying for more than 24 hours. Wouldn't it be nice if you could have all incoming mail saved locally? Then you could store it as long as you deem appropriate, rather than depending on the sending sites to do so.