[Dshield] ISP's not blocking egress 25/tcp (was: spoofed address)
jayjwa at atr2.ath.cx
Fri Jan 23 19:10:51 GMT 2004
On Thu, 22 Jan 2004, Erik van Straten wrote:
> I have been advocating blocking egress 25/tcp traffic on our campus,
> with the exception of some legitimate mailservers (like mine :).
> However, because of some issues (that can probably be fixed), and
> perhaps because our main MTA is blacklisted, this measure is not yet
> effective (it certainly does not help). Thank you SORBS.
> Is anyone aware of advantages or complications of blocking outbound
> SMTP that I missed?
The trouble is, everyone wants _their_ server clear, but everyone else's
blocked (on ISP's networks, your example above). I don't use my ISP's MTA,
but my own. I'd hate to think what my inbox would look like, had I opted
to use theirs. To be sure, they will let in far more than I ever would.
They kind of have to; because of their size and number of clients, they
can't do the broad, blanket blacklisting that I do. SomeNetwork just
mailed SPAM to me for the 10th time this week? Banned. That works here,
because no one knows anyone on that network anyway. If configured
properly, I think that users running their own mailservers instead of
using their ISP's can be even more resistant to SPAM. If an admin notices
a large amount of outbound traffic coming from a client's mailer, then he
can take action, but those of us that don't SPAM and use our servers
correctly shouldn't be punished. Plus, I've seen many cases where a server
will sit around, up on a higher port, say 5550, and send from there. If
you can confirm the source of a SPAM, take a look at the computer that
sent it out. Many times it's a Windows-WinNT machine running a mailserver
on a high port. I doubt a legit company is mass-sending email from a
Windows 98 machine from port 5685 =)
More information about the list