Same concerns here. Glad to know we're not alone. I think a transition to blocking outbound SMTP (except for one's own e-mail servers) would benefit from an education campaign, but perhaps the pain level is small enough that it can implemented without. One could start doing a subnet block a day to keep the helpdesk people sane, and then apply a global block at the edge once "done" to catch any subnets that one might have missed. Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Kameron Gasso Sent: Friday, March 07, 2008 2:44 PM To: Justin M. Streiner Cc: NANOG Subject: Re: Customer-facing ACLs Justin M. Streiner wrote:
I do recall weighing the merits of extending that to drop outbound SMTP to exerything except our mail farm, but it wasn't deployed because there was a geat deal a fear of customer backlash and that it would drive more calls into the call center.
This seems to be very common practice these days for larger ISPs/dialup aggregators using the appropriate RADIUS attributes on supported access servers. We generally restrict outbound SMTP on our dial-up users so they may only reach our hosts (or the mail hosts of our wholesale customers). Our DSL subscribers, both dynamic and static, are currently unfiltered -- but we're very quick to react to abuse incidents and apply filters when necessary until the user cleans up their network. I'm currently on the fence with regards to filtering SMTP for all of our dynamic DSL folks. It'd be nice to prevent abuse before it happens, but it's a matter of finding the time to integrate the filtering into our wholesale backend and making sure there aren't any unforeseen issues. -- Kameron