[unisog] Port 25 blocking - on the

marchany at vt.edu marchany at vt.edu
Fri Apr 29 20:12:37 GMT 2005


I guess I have to ask "what is the real goal of blocking port 25?" Consider 
the following:

1. Is the real goal  to block spam? 
2. Is the real goal to prevent someone on your net from having their own 
mailer?

I suspect the real goal is #1 but the consequence of implementing a block is 
that #2 is impacted. I think a lot of thought on the implications of such a 
policy has to be done.

>We block outbound port 25 connection requests from all but a short list of
>known mail servers.

Ouch. When we were hit with MyDoom and our central mail servers were clogged 
for 60 hours, the only way to get email amongst CIRT members was by using good 
ol' sendmail on individual workstations that did NOT connect to the clogged 
central servers. A port block would have seriously impacted our response.

Another unintended consequence of such an action is that by forcing all email 
to go through your central servers, you now become eligible for govt subpoenas 
for email logs in these post 9/11 days.

Yes, these sendmail servers were secured as best as possible. My point is that 
allowing only certain systems to use outbound mail can have unforseen effects 
during an attack.

The harder task is to teach people how to set up a "secure" sendmail server.  
How do I do that? Seminars, preconfigured locked down systems, turning off 
their access if they're abused.....there are all sorts of actions.

my point: make sure your actions reflect what you REALLY want to do.

	-Randy Marchany







More information about the unisog mailing list