Most of the spam I'm seeing comes directly from end user hosts that have either an open proxy on them or some kind of malware with its own SMTP engine designed to send out junk.. in this model the only port 25 traffic is that from the end host coming outwards, I believe you're suggestion is to filter port 25 towards hosts.
Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP relay) will not stop the emails. It is possible to extend this and implement some sort of statistical sanity checking on the mail being relayed (eg alarm/deny mail once it exceeds X/minute/host) which is
We do that here, and I agree it should be a standard practice from the dialup/broadband/etc. provider standpoint. Aren't some of the newer malware/viri using the SMTP setting out of the email client to send through now to get around that anyway? It really shouldn't matter though. I'd rather be: a.) blocking the port 25 traffic and b.) virus scanning the outbound mail, than dealing with the thousands of "Your user tried to hack my system. I'm calling the FBI on you." messages. Eric -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of John Curran Sent: Tuesday, April 13, 2004 3:53 PM To: Stephen J. Wilcox Cc: nanog@merit.edu Subject: Re: Lazy network operators At 8:39 PM +0100 4/13/04, Stephen J. Wilcox wrote: potentially a workable solution. Steve, I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. /John