Re: Blocking port 25 outbound

[Paul Russell <prussell () ND EDU>]

We block outbound outbound port 25 traffic at the network border, with the
exception of traffic from the central mail servers and known departmental mail
servers. Systems in ResNet are required to use SSL/TLS and SMTPAUTH to send
mail through the central mail servers, and we are expanding this restriction
to the rest of our network. We maintain a 'whitelist' of systems which are
allowed to use non-secure anonymous SMTP, to accomodate faculty and staff
using mission-critical software which does not support SSL/TLS and/or SMTPAUTH.

Our InfoSec staff monitors the network for 'rogue MTAs', and the Messaging
Services staff monitors the central mail servers for local systems with
excessive SMTP rejects.

We began implementing these measures approximately two years ago, to address
the problem of zombie systems in our network being exploited to send spam
and/or virus traffic. Blocking outbound port 25 stopped direct-to-MX traffic,
and mandatory SMTPAUTH stopped the zombies from relaying through the central
mail servers.

When the use of port 25 blocks and mandatory SMTPAUTH becomes widespread, the
spamware and virus authors will find ways to circumvent those restrictions.

--
Paul Russell
Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame