[unisog] Any Canadian Universities on here ?

PaulFM paulfm at me.umn.edu
Thu May 5 16:25:26 GMT 2005


So you would have caught it just as fast had you logged all outgoing port 25 
connections rather than block them.

You realize, with the new standard (port 587) it will only be a matter of 
time before there are a bunch of port 587 mail relays and everyone will be 
talking about blocking them.

It is much more important to block incoming ports to all but authorized 
machines (cut off the control connection to the spam-bots).

Sylvain Robitaille wrote:

> On Wed, 4 May 2005, Pete Hickey wrote:
> 
> 
>>it is EXTREMELY useful to be able to come into our mail machines for
>>debugging.
> 
> 
> Oh, I agree, but does that cost outweight the benefit?
> 
> 
>>And the spammers will then have their zombie machines go through the
>>ISP's SMTP relay.
> 
> 
> Of course, but then the ISP is in a much better position to a) detect
> the problem as it is happening, and b) deal with it much sooner.
> 
> We had an example of that exact scenario happen here a few months back:
> a system that had been compromised was being used for sending spam,
> but we block outbound port 25, so outbound mail goes only through our
> sanctioned mail servers.
> 
> I noticed the load average on one of the mail servers was staying
> unusually high for a rather long time, and when I looked more closely,
> sure enough it was in the process of trying to deliver a bunch of queued
> up spam.  I probably would not have "detected" this happening with the
> old direct spamming method until the complaints started coming in, but
> in this case I was able to put a stop to it after "only" a few thousand
> messages had gotten out.
> 
> It's obviously not perfect, but it does help.  It also permits us to
> apply virus-detection to outbound as well as inbound mail, helping also
> at that level.
> 
> 
>>Starting off, we would tell them.  Configure your mailer to use
>>xxx as your mailbox server, and yyy as your mail relay/SMTP-out.
>>Use that whether you are at home or in the office.
> 
> 
> I would argue that was a mistake.  Our mail servers were refusing
> third-party relaying many years ago.  We've been telling our users
> pretty much all along, though certainly since the larger ISPs have been
> in place that they should configure mail software on computers connected
> to our network to use our mail servers for relaying, and on ISP-connected
> computers to use the ISP's mail servers.
> 
> If the user is having trouble with the ISP's mail server, they're
> directed to the ISP's support service.
> 
> 
>>Oh yes.. There was one ISP who would not accept mail for relay
>>unless it had THEIR domain in the From:
> 
> 
> I don't feel we should make concessions for ISPs who misunderstand the
> protocols.  If we had a user with that problem, I would recommend to the
> user (cc: postmaster at the ISP) to find a better ISP (and I have done
> that in some cases, though not yet for this reason).
> 

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list