On Fri, May 10, 2002 at 11:27:10AM +1000, Terence Giufre-Sweetser wrote:
Now there's a good idea, and it works, I have several sites running a "port 25" trap to stop smtp abuse.
To stop port 25 abuse at some schools, the firewall grabs all outgoing port 25 connections from !"the mail server", and to !"the mail server", and runs then via "the mail server", which stops header forging, mass rcpt to: abuse, and vrfy/expn probing. Anything that goes past the filters has a nice clear and traceable received by: line.
If a few of the larger pre-paid isp's could simply filter port 25 on their accounts, add some sanity checking (like, a user must be using a valid email address in the from:/return-path:/reply-to: lines, etc) and reject other abuse like rcpt to: stacking. Plus, add a anti-bulk email check, like razor or checksum clearinghouse, (yeah, seriously, checksum the outgoing emails, if some humans somewhere have said "this is spam", then /dev/null or BOUNCE the outgoing email.)
I'd even be inclined to place these filters at the border to smaller downstream isp's, let them register their valid email domains, any user from their network trying to send invalid email, or email that is listed in razor, just kill it or auto-refer to the abuse desk.
[This may sound expensive, but on reflection, a US$2K box with BSD could handle 20Mbps of port 25, remember only port 25, nothing else, you would place one behind your dial up infrastructure, or several for a large site, and your "transparent smtp proxy" would pay for itself by killing off a lot of your abuse@ work. There was many ways of redirecting the port 25 packets, have a look at all the good work done on port 80 transparent proxies.]
// :), patent pending? No, the concept is hereby commited to the public domain. //
Earthlink was doing this for basically all of their consumer-grade (dialup, most of the ADSL, etc) customers in 1999 (well, almost certainly earlier than that, but I can only personally speak to it being in place then). It doesn't stop absolutely everything, but it's a very good 95% first pass filter. Don't forget to allocate support queue time for explaining to folks why they can't do SMTP relaying through their other provider where they have a hosting account, though... (Business customers were exempted, but paid hefty setup fees and monthly fees, and if I recall the contract correctly, forfeited all of them for AUP violations, which explicitly included UCE). Keeping the filters up to date is often a painful excercise in assignment coordination testing, too... -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/