Educause Security Discussion mailing list archives
Re: Blocking port 25 outbound
From: "Christopher E. Cramer" <chris.cramer () DUKE EDU>
Date: Mon, 22 Aug 2005 16:47:00 -0400
Joe's got a great list of things below. To that, I would add: * periodic (monthly?) scans for open mail relays on port 25. We've done this for years and recently opted to scale back because we haven't found any in the past 12 months or so. * if you have an IDS, configure it to monitor for SMTP service traffic destined a port other than 25. we use this to find spam-bots. -c On Mon, 22 Aug 2005, Joe St Sauver wrote:
Hi Joseph, #We are considering blocking all port 25 traffic outbound. We have noted #various ISP's and others moving to block port 25 outbound to reduce #"spamming". We wish to be good "netizens" # #Have any of you done this already and what has been the push back of #issues related to implementation on your campus? This is a topic that came up during the Messaging Anti-Abuse Working Group (MAAWG) meeting this past March. If you're interested, feel free to see -- Dealing With Zombies and Trojans and Port 25 (abrief presentation) http://darkwing.uoregon.edu/~joe/port25.pdf -- Spam Zombies and Inbound Flows to Compromised Customer Systems http://darkwing.uoregon.edu/~joe/zombies.pdf More generally, you may also be interested in: -- Email Effective Security Practices: 5 Concrete Areas to Scrutinize http://darkwing.uoregon.edu/~joe/emailsecurity/email-security.pdf (from the Spring 2004 Internet2 Member Meeting). But coming back to the port 25 issue, some alternatives to blocking port 25 which you might want to consider include: -- insure that you are monitoring/responsive to complaints received on your abuse@ and postmaster@ address, and you have current whois contact data for your network blocks, your domain(s) and your ASN; participate in programs such as AOL's spam complaint feedback loop program (see http://postmaster.info.aol.com/fbl/fblinfo.html ); use an intrusion detection system such as Snort or Bro -- consider a desktop anti-virus/anti-spyware product (such as McAfee VirusScan Enterprise 8) which include default features intended to prevent mass mailing worms from sending mail and features to prevent IRC-based bot command and control channels -- insure your campus rDNS does a clean job of "hinting" about what hosts should and shouldn't be emitting mail direct-to-MX ( http://enemieslist.com/ does a good job of codifying much of what's known about rDNS naming practice "in the wild" right now) -- consider publishing SPF records for your site; see http://spf.pobox.com/whitepaper.pdf for more information about SPF -- check http://www.senderbase.com/ for your netblocks and domain to see if there's anything anomalous going on that's not getting reported Feel free to drop me a note if you have any questions. Regards, Joe St Sauver (joe () uoregon edu) University of Oregon Computing Center
Current thread:
- Re: Blocking port 25 outbound, (continued)
- Re: Blocking port 25 outbound Liliana Moisa (Aug 22)
- Re: Blocking port 25 outbound Randy Marchany (Aug 22)
- Re: Blocking port 25 outbound CHARLES MORROW-JONES (Aug 22)
- Re: Blocking port 25 outbound Michael Grinnell (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Halm (Aug 22)
- Re: Blocking port 25 outbound Joe St Sauver (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Trevor J Corbett (Aug 22)
- Re: Blocking port 25 outbound Christopher E. Cramer (Aug 22)
- Re: Blocking port 25 outbound Jason Richardson (Aug 22)
- Re: Blocking port 25 outbound Scott Genung (Aug 22)
- Re: Blocking port 25 outbound Matthew Keller (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Sinatra (Aug 22)
- Re: Blocking port 25 outbound John Kristoff (Aug 22)
- Re: Blocking port 25 outbound Chris Steele (Aug 22)
- Re: Blocking port 25 outbound Orlando Richards (Aug 23)
- Re: Blocking port 25 outbound Paul Russell (Aug 23)
- Re: Blocking port 25 outbound Kenneth G. Arnold (Aug 23)