We do block port 25 as suggested in earlier in the thread. Now the problem is the spambots use our smarthost(s) to spew their garbage and the smarthosts are blocked. there is an easy if somewhat impractical anwswer ;~} access-list network-egress deny ip any any log Think of all the bandwidth charges this would save... Seriosly though if anyone on the list has any solutions for rate limiting SMTP in a sendmail environment please reply off list. Scott C. McGrath On Mon, 16 Feb 2004, Timothy R. McKee wrote:
Personally I don't see where ingress filters that only allow registered SMTP servers to initiate TCP connections on port 25 is irresponsible.
Any user sophisticated enough to legitimately require a running SMTP server should also have the sophistication to create a dns entry and register it with his upstream in whatever manner is required.
There will never be a painless or easy solution to this problem, only a choice where we select the lesser of all evils.
Tim
-----Original Message----- From: Petri Helenius [mailto:pete@he.iki.fi] Sent: Monday, February 16, 2004 16:06 To: Timothy R. McKee Cc: 'J Bacher'; nanog@merit.edu Subject: Re: Anti-spam System Idea
Timothy R. McKee wrote:
There will *never* be a concerted action by all service providers to filter ingress/egress on abused ports unless there is a legal requirement to do so. Think 'level playing field'...
HavenĀ“t it been stated enough times previously that blindly blocking ports is irresponsible?
There are ways to similar, if not more accurate results without resorting to shooting everything that moves.
Pete