On 6/18/07, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
On 6/18/07, Jeroen Massar <jeroen@unfix.org> wrote:
Of course, though 25 is (afaik ;) the most abused one that will annoy a lot of other folks with spam, phishings and virus distribution, though the latter seems to have come to a near halt from what I see.
[snip]
As Joe says (and I agree), trying to fix infected hosts on your network by blocking port 25 is like treating lung cancer with cough syrup.
Perhaps, but I think someone possibly misunderstood the goal behind blocking port 25. It doesn't "fix" an infected host, the point is to mitigate one of the attack vectors by which the infection could spread to new clean hosts, to reduce the range of possible attacks/spreading techniques infected host could launch -- in some cases, the spread will stop entirely, if the particular software spreads only by connecting to destination mail servers on port 25, and while the hosts may still be infected, there is much less harm (in terms of automatically spamming and spreading to other hosts) that will be possible, with port 25 blocked. Preventing hosts from just SMTP'ing out just anywhere they like creates a new hurdle for any infection to get over to spread; now any malware suddenly needs to figure out a SMTP server to use, and a username and password to use with SMTP authentication, and any other restrictions imposed by the ISP outgoing MTA. Think of it as having people infected with TB wearing masks while they are in public. It certainly doesn't cure them of the disease, that's not the point. It's for the protection of possible hosts not yet infected by the parasite. It's no guarantee that the disease doesn't ever spread to someone else, but the opportunity for airborne spread is slightly reduced, and that's the goal. -- -J