Educause Security Discussion mailing list archives

Re: blocking port 25 at the border?

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Thu, 23 Aug 2007 19:55:08 -0400

Bob Bayn -

We have managed port 25 (SMTP) at the border for about 2 years
outbound and 3+ years inbound.

Primarily system administrator managed mail servers are the systems
transmitting and receiving SMTP on TCP port 25.

There are a few exceptions and a formal procedure (and web form)
exists for requesting an inbound or outbound exception.

There are quite a few more local e-mail systems but most of them have
owners who have decided that they do not need to
receive email directly on port 25 from the Internet nor xmit directly
to Internet email servers.  Therefore most internal servers
have their DNS names and/or domains MXed to our public mail relay
servers.  The very few that don't have primarily policy-
based reasons for requesting an exception (e.g. they can't be bound
by our 20MB file size limit, anti-virus/anti-spam, etc.) &
we allow these exceptions.

We blocked SMTP originally to cut down on spam complaints (both
internal and external)  generated by both "rogue" and
"accidental" mail servers but the anti-spam/malware/phishing scanning
funnel which now covers most of campus has proved
to be even more valuable.

fYI - one way to distinguish between a Storm infected PC and a Skype
node (both can generate a lot of UDP traffic to many
IP #s on the Internet) is that a Skype node will usually be listening
on 3 TCP ports - port 80, 443 and a random port above
1024.  The service listening at these ports will usually answer a
probe with string 'GET /' with the response :

                HTTP/1.0 501 Not Implemented

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS



On Aug 23, 2007, at 5:08 PM, Bob Bayn wrote:

Do you regulate port 25 at the border?
If so, what is your procedure for allowing an exception
(for a legit email server)?
What administrative approvals were required at your
institution before you could regulate port 25?

Bob Bayn
IT Security Team
Utah State University
Logan, UT

Current thread:

blocking port 25 at the border? Bob Bayn (Aug 23)
- <Possible follow-ups>
- Re: blocking port 25 at the border? Mark Borrie (Aug 23)
- Re: blocking port 25 at the border? Gary Flynn (Aug 23)
- Re: blocking port 25 at the border? Randy Marchany (Aug 23)
- Re: blocking port 25 at the border? Gary Flynn (Aug 23)
- Re: blocking port 25 at the border? Dave Koontz (Aug 23)
- Re: blocking port 25 at the border? H. Morrow Long (Aug 23)
- Re: blocking port 25 at the border? Mark Borrie (Aug 23)
- Re: blocking port 25 at the border? Kenneth Arnold (Aug 23)
- Re: blocking port 25 at the border? Lutzen, Karl F. (Aug 23)
- Re: blocking port 25 at the border? Matthew Keller (Aug 23)
- Re: blocking port 25 at the border? Curt Wilson (Aug 24)