Re: Outbound SMTP

[Michael Van Norman <mvn () UCLA EDU>]

Basgen, Brian wrote:
> Joe,
>
> > officers. I mean dang it all, we build wonderful networks,
> > and then we proceed to block the heck out of 'em to the point
> > where application programmers can hardly use 'em! That just
> > makes no sense.
>
>  Joe, you have a fair point, but you are making it a bit extreme. I
> would agree, in some contexts, when it comes to NAC, for example. Yet,
> the suggestion that blocking port 25 outbound is problematic for
> usability isn't very sustainable.

A researcher on your campus is developing an application that uses
e-mail and incorporates its own MTA.  A port 25 block breaks that.  That
to me is a problem with network usability, not an extreme position.

> > 1) Even if you block port 25 traffic, the host is still infested
>
>  You are missing the forest for the trees. If you render the intent of
> an exploit useless, you've accomplished defense in-depth. We can't
> maintain pristine networks. We *can* reduce risk and have sufficient
> depth such that a compromise will be mitigated by various layers.

This assumes that the malware loses all value to the miscreant if SMTP
is blocked.  The malware is still likely to be keylogging, uploading
browser caches, etc.  It may also simply use your existing mail relays.
 Those other aspects of the malware have value.  Blocking SMTP is not
going to change that (and this I would question the assertion of defense
in depth).

/Mike