Owen wrote:
On Oct 25, 2011, at 3:29 AM, <Valdis.Kletnieks at vt.edu> wrote:
On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said:
If they are using someone else's mail server for outbound, how, exactly do you control whether or not they use AUTH in the process?
1) You don't even really *care* if they do or not, because...
2) if some other site is running with an un-AUTHed open port 587, the miscreants will find it and abuse it just like any other open mail relay. The community will deal with it quick enough so you don't have to. And at that point, it's the open mail relay's IP that ends up on the block lists, not your mail relay's IP.
But that applies to port 25 also, so, I'm not understanding the difference.
Other people running open port 587s tends to be quite self-correcting.
At this point, so do open port 25s.
Owen
I'll try to explain with text stick-diagrams... The players are: G - good user B - botnet host I - ISP O - open relay S - mail-submission relay V - victim SMTP/mailbox host It's all about how port-25 traffic containing SPAM gets to machine "V". (Or not, which is the preferred situation.) Possible routes include: B.25 -> (I allows 25) -> O -> V (classic open relay) [SPAM] B.25 -> (I allows 25) -> V (new mode, and what William Herrin is talking about) [SPAM] B.587 -> (I !allow 25) -> V (but that makes no sense - how does B authenticate to the victim? She doesn't!!) [BLOCKED] B.587 -> (I !allow 25) -> S (ditto - not an open unauthenticated relay, only allows authenticated relaying!!!) [BLOCKED] Meanwhile, we have: G.587 -> (I !allow 25) -> S.g.587/.25 (mail submission gateway for G) -> V.25 [NOT-SPAM && NOT-BLOCKED] S.g is either G's enterprise mail server, or G's home mail server, or G's ISP themselves, or some other S to which G can authenticate. S.g receives on 587, and sends on 25, and is a generally reputable port-25 host (whatever that means). So, basically, not blocking 587 and blocking 25 removes all the avenues for direct botnet spam. Authenticating botnet sources become trackable on auth-hosts, and easy to shut down. Is there some path not listed above that could allow a spammer (botnet host) behind the ISP to send email, without having a relay host to which it can authenticate, that I'm not seeing? Brian
participants (1)
-
Brian Dickson