Re: Blocking port 25 outbound

["Christopher E. Cramer" <chris.cramer () DUKE EDU>]

Joe's got a great list of things below.  To that, I would add:

* periodic (monthly?) scans for open mail relays on port 25.  We've done
this for years and recently opted to scale back because we haven't found
any in the past 12 months or so.

* if you have an IDS, configure it to monitor for SMTP service traffic
destined a port other than 25.  we use this to find spam-bots.

-c

On Mon, 22 Aug 2005, Joe St Sauver wrote:

> Hi Joseph,
>
> #We are considering blocking all port 25 traffic outbound.  We have noted
> #various ISP's and others moving to block port 25 outbound to reduce
> #"spamming".  We wish to be good "netizens"
> #
> #Have any of you done this already and what has been the push back of
> #issues related to implementation on your campus?
>
> This is a topic that came up during the Messaging Anti-Abuse Working Group
> (MAAWG) meeting this past March. If you're interested, feel free to see
>
> -- Dealing With Zombies and Trojans and Port 25 (abrief presentation)
>    http://darkwing.uoregon.edu/~joe/port25.pdf
>
> -- Spam Zombies and Inbound Flows to Compromised Customer Systems
>    http://darkwing.uoregon.edu/~joe/zombies.pdf
>
> More generally, you may also be interested in:
>
> -- Email Effective Security Practices: 5 Concrete Areas to Scrutinize
>    http://darkwing.uoregon.edu/~joe/emailsecurity/email-security.pdf
>    (from the Spring 2004 Internet2 Member Meeting).
>
> But coming back to the port 25 issue, some alternatives to blocking port
> 25 which you might want to consider include:
>
> -- insure that you are monitoring/responsive to complaints received on
>    your abuse@ and postmaster@ address, and you have current whois contact
>    data for your network blocks, your domain(s) and your ASN; participate
>    in programs such as AOL's spam complaint feedback loop program
>    (see http://postmaster.info.aol.com/fbl/fblinfo.html ); use an
>    intrusion detection system such as Snort or Bro
>
> -- consider a desktop anti-virus/anti-spyware product (such as McAfee
>    VirusScan Enterprise 8) which include default features intended to
>    prevent mass mailing worms from sending mail and features to prevent
>    IRC-based bot command and control channels
>
> -- insure your campus rDNS does a clean job of "hinting" about what hosts
>    should and shouldn't be emitting mail direct-to-MX
>    ( http://enemieslist.com/ does a good job of codifying much of what's
>    known about rDNS naming practice "in the wild" right now)
>
> -- consider publishing SPF records for your site; see
>    http://spf.pobox.com/whitepaper.pdf for more information about SPF
>
> -- check http://www.senderbase.com/ for your netblocks and domain to
>    see if there's anything anomalous going on that's not getting reported
>
> Feel free to drop me a note if you have any questions.
>
> Regards,
>
> Joe St Sauver (joe () uoregon edu)
> University of Oregon Computing Center