From nanog-bounces@nanog.org Wed Sep 3 11:58:37 2008 From: Alec Berry <alec.berry@restontech.com> Subject: Re: ingress SMTP
Michael Thomas wrote:
I think this all vastly underrates the agility of the bad guys. So lots of ISP's have blocked port 25. Has it made any appreciable difference? Not that I can tell. If you block port 25, they'll just use another port and a relay if necessary.
I'm pretty sure it has, although without aggregate stats from various ISPs it is hard to tell. Since mail transport is exclusively on port 25 (as opposed to mail submission), a bot cannot just hop to another port.
One small data-point -- on a personal vanity domain, approximately 2/3 of all the spam (circa 15k junk emails/month) was 'direct to inbound MX' transmissions. The vast majority of this is coming from end-user machines outside of North America. China, India Thailand, Brazil, Poland, "CZ", and a couple of providers each in Germany and France, appear to be the most prevalent sources _I_ see. The message count would be a fair bit higher, but I have several overseas networks (4 in DE, 2 in TW, 1 in CZ) plus pieces of 2 domestic networks (*da.uu.net, *pub-ip.psi.net) blocked at the firewall. Also firewalled are a couple of dozen IP addresses that have -each- made over 10k attempts to _relay_ mail through me. I'm seeing a significant amount of 'Received' header forgery, apparently intended to fool "dumb" header parsers into believing the direct-to-MX transmission _did_ go through the server associated with the domain used in the '"from: ", "from ", and "Reply-to: " lines. The good news is that only a _really_ dumb parser would be fooled by most of what I'm seeing. :)