Leigh: How many customers do you serve that you have just 50 exceptions? It's my understanding that the most efficient way to keep things clean for cable modem subscribers is to educate subscribers to use port 587 with SMTP AUTH for both the ISP's own servers and their customer's external mail server, and then block destination port 25 on the cable modem. For alternative access technologies, block destination port 25 on the access gear or core routers/firewalls. Regards, Frank -----Original Message----- From: Frank Bulk Sent: Thursday, April 12, 2007 7:48 AM To: Mikael Abrahamsson Cc: nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks Mikael Abrahamsson wrote:
On Wed, 11 Apr 2007, Frank Bulk wrote:
It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run.
There are several large ISPs (millions of subscribers) that have done away with TCP/25 altogether. If you want to send email thru the ISPs own email system you have to use TCP/587 (SMTP AUTH).
Yes, this takes committment and resources, but it's been done successfully.
You don't even need to do that. We just filter TCP/25 outbound and force people to use our mail servers that have sensible rate limiting etc. People who use alternate SMTP servers can fill in a simple web form to have them added to the exception list. We have about 50 on this list so far. -- Leigh Porter