nanog mailing list archives
Re: ISP port blocking practice
From: Butch Evans <butche () butchevans com>
Date: Fri, 03 Sep 2010 11:10:09 -0500
On Thu, 2010-09-02 at 23:08 -0500, Jack Bates wrote:
He's right though. tcp/25 blocks are a hack. Easy man's way out.
Also, this can be a little problematic to end users.
Honestly, it'd be nicer if edge or even core systems could easily handle higher level filtering for things like this. There's plenty of systems that watch traffic patterns and issue blocks based on those patterns.
I am not an ISP, but provide consulting services to ISPs. My approach to this problem is somewhat more dynamic than simple blocking of outbound port 25. Bear in mind, that I don't do much consulting for companies that are transport for other ISPs (though I have a few of those type clients). My approach is quite simple, but has been pretty effective for those clients that are using it: * Watch for outbound mail checking traffic (TCP/110, TCP 143, etc.) and capture the server IPs these users are talking to * Permit outbound SMTP coming FROM known mail servers inside the network * Permit inbound SMTP going TO known mail servers inside the network * Permit outbound SMTP going TO mail servers that our end users use the CHECK their mail * Log the IP of the end users trying to send outbound email via a server that is NOT on the above list. * Deny all other outbound SMTP This method is nearly 100% effective in eliminating spam bots that are currently the most common type. These spam bots originate smtp connections direct to the MX for the list they are sending mail to. This method is relatively problem free for the ISP once it is set up. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ********************************************************************
Current thread:
- Re: ISP port blocking practice, (continued)
- Re: ISP port blocking practice Patrick W. Gilmore (Sep 03)
- Re: ISP port blocking practice Jack Bates (Sep 03)
- Re: ISP port blocking practice JC Dill (Sep 03)
- Re: ISP port blocking practice Randy Bush (Sep 03)
- Re: ISP port blocking practice Nick Hilliard (Sep 03)
- Re: ISP port blocking practice Owen DeLong (Sep 03)
- Re: ISP port blocking practice Curtis Maurand (Sep 03)
- Re: ISP port blocking practice Dobbins, Roland (Sep 03)
- Re: ISP port blocking practice Kevin Oberman (Sep 04)
- Re: ISP port blocking practice Owen DeLong (Sep 03)
- Re: ISP port blocking practice Butch Evans (Sep 03)
- Re: ISP port blocking practice Owen DeLong (Sep 03)
- Re: ISP port blocking practice John Levine (Sep 03)
- Re: ISP port blocking practice Owen DeLong (Sep 03)
- Re: ISP port blocking practice John R. Levine (Sep 03)
- RE: ISP port blocking practice Paul Stewart (Sep 03)
- Re: ISP port blocking practice Doug Barton (Sep 03)
- Re: ISP port blocking practice Franck Martin (Sep 03)
- Re: ISP port blocking practice Owen DeLong (Sep 03)
- Re: ISP port blocking practice John R. Levine (Sep 03)
- Re: ISP port blocking practice Robert E. Seastrom (Sep 08)