Bryan Bradsby summarized:
First Harold outlined this plan for AGIS modems rented to ISPs:
To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine
Then Roeland recommended:
What I really suggest, and this takes some work on your part, is to contact the site's admin and inform them of their open-relay status.
These are actually two separate issues: 1. Open SMTP relays 2. Dialup ports open to all SMTP servers While these two issues do interact, and a perfect solution to one of them makes the other much less of an impact, they do both need to be addressed as distinct issues. Making sure that the SMTP servers that a given dialup user is supposed to use are closed for relaying (but they have to be open to this dialup user to be able to send legitimate mail to anyone) does not solve issue #2 relative to the dialup user. If the dialup user is a spammer using one of the bulk mailing packages, that user will be contacting SMTP servers other than at his ISP in order to "spread the load" and reduce his costs. What Harold has proposed is to make sure the dialup user is only able to use the SMTP servers of his dialup ISP. Roeland points out that many dialup users need to access the SMTP server of yet another provider they use, but via the dialup of the first. This may be required because the dialup user may be sourcing his mail from a domain he legitimately owns, but which is not recognized by the SMTP server of his dialup ISP.
We do this now. When a site is blocked by our subscription to ORBS, i send them a nice friendly note, admin to admin. How many? A couple hundred a month. Some fix it promptly. Some send me a nice thank you note. Most don't (do either one).
While I do block relaying through my SMTP server (you cannot send to an unrecognized domain from an IP that resolves to an unrecognized domain) and I do block access to SMTP servers other than my own for most dialup users (those known to run their own valid mail servers get an exemption) I do not block known relay SMTP sites. I feel I do not need to do this because I already block my dialup users from all but my own SMTP ports. Since some spammers actually operate by direct contact to the MX server of the intended reci... err... victim, I feel the port blocking is a better solution than open relay blocking. The former is easier to do and the latter, I feel, is more difficult to do. I also do not filter source addresses for my customers on my mail servers. Customers of virtual web services can simply direct their outgoing mail (the "SMTP server" hostname in most mail programs, such as Netscape Communicator) through my SMTP server, smtp.intur.net, if they are a dialup customer of ours. Thus they can have their From/Reply state their domain name, and still send e-mail to anyone on the net, including those at places with open relays (not that I condone this).
Then Scott reiterated:
The problem is when the spam-bastard isn't relaying. We've been getting thousands of messages every week from spammers who buy dialup from various places, then connect directly to the destination mail server to deliver the mail. That's what this prevents. I don't know of any other method that does.
If all the ISPs won't do what Harold has proposed, then we have no choice in our own self defense, but to block port 25 from all the modems by IP (and open up corresponding holes for responsible SMTP servers in the same netblock).
I do this by account wben I generate the RADIUS files from our database (done when a change is detected on each 15 minute config update cycle). Thus, I can enable the hole on a per-account, not per IP, basis. That keeps me from having long access lists.
But my question is - Would responsible netops be willing to give me a list of their (non-relaying) SMTP servers?
I'm curious what such a list would be used for. Would you limit access to just those SMTP servers? Would that not form a rather long access list? -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --