On Thu, 2010-09-02 at 23:08 -0500, Jack Bates wrote:
He's right though. tcp/25 blocks are a hack. Easy man's way out.
Also, this can be a little problematic to end users.
Honestly, it'd be nicer if edge or even core systems could easily handle higher level filtering for things like this. There's plenty of systems that watch traffic patterns and issue blocks based on those patterns.
I am not an ISP, but provide consulting services to ISPs. My approach to this problem is somewhat more dynamic than simple blocking of outbound port 25. Bear in mind, that I don't do much consulting for companies that are transport for other ISPs (though I have a few of those type clients). My approach is quite simple, but has been pretty effective for those clients that are using it: * Watch for outbound mail checking traffic (TCP/110, TCP 143, etc.) and capture the server IPs these users are talking to * Permit outbound SMTP coming FROM known mail servers inside the network * Permit inbound SMTP going TO known mail servers inside the network * Permit outbound SMTP going TO mail servers that our end users use the CHECK their mail * Log the IP of the end users trying to send outbound email via a server that is NOT on the above list. * Deny all other outbound SMTP This method is nearly 100% effective in eliminating spam bots that are currently the most common type. These spam bots originate smtp connections direct to the MX for the list they are sending mail to. This method is relatively problem free for the ISP once it is set up. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ********************************************************************