Educause Security Discussion mailing list archives
Re: Blocking port 25 outbound
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Mon, 22 Aug 2005 13:15:28 -0700
Hi Joseph, #We are considering blocking all port 25 traffic outbound. We have noted #various ISP's and others moving to block port 25 outbound to reduce #"spamming". We wish to be good "netizens" # #Have any of you done this already and what has been the push back of #issues related to implementation on your campus? This is a topic that came up during the Messaging Anti-Abuse Working Group (MAAWG) meeting this past March. If you're interested, feel free to see -- Dealing With Zombies and Trojans and Port 25 (abrief presentation) http://darkwing.uoregon.edu/~joe/port25.pdf -- Spam Zombies and Inbound Flows to Compromised Customer Systems http://darkwing.uoregon.edu/~joe/zombies.pdf More generally, you may also be interested in: -- Email Effective Security Practices: 5 Concrete Areas to Scrutinize http://darkwing.uoregon.edu/~joe/emailsecurity/email-security.pdf (from the Spring 2004 Internet2 Member Meeting). But coming back to the port 25 issue, some alternatives to blocking port 25 which you might want to consider include: -- insure that you are monitoring/responsive to complaints received on your abuse@ and postmaster@ address, and you have current whois contact data for your network blocks, your domain(s) and your ASN; participate in programs such as AOL's spam complaint feedback loop program (see http://postmaster.info.aol.com/fbl/fblinfo.html ); use an intrusion detection system such as Snort or Bro -- consider a desktop anti-virus/anti-spyware product (such as McAfee VirusScan Enterprise 8) which include default features intended to prevent mass mailing worms from sending mail and features to prevent IRC-based bot command and control channels -- insure your campus rDNS does a clean job of "hinting" about what hosts should and shouldn't be emitting mail direct-to-MX ( http://enemieslist.com/ does a good job of codifying much of what's known about rDNS naming practice "in the wild" right now) -- consider publishing SPF records for your site; see http://spf.pobox.com/whitepaper.pdf for more information about SPF -- check http://www.senderbase.com/ for your netblocks and domain to see if there's anything anomalous going on that's not getting reported Feel free to drop me a note if you have any questions. Regards, Joe St Sauver (joe () uoregon edu) University of Oregon Computing Center
Current thread:
- Blocking port 25 outbound Lazor, Joseph (Aug 22)
- <Possible follow-ups>
- Re: Blocking port 25 outbound Aaron Childs (Aug 22)
- Re: Blocking port 25 outbound Liliana Moisa (Aug 22)
- Re: Blocking port 25 outbound Randy Marchany (Aug 22)
- Re: Blocking port 25 outbound CHARLES MORROW-JONES (Aug 22)
- Re: Blocking port 25 outbound Michael Grinnell (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Halm (Aug 22)
- Re: Blocking port 25 outbound Joe St Sauver (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Trevor J Corbett (Aug 22)
- Re: Blocking port 25 outbound Christopher E. Cramer (Aug 22)
- Re: Blocking port 25 outbound Jason Richardson (Aug 22)
- Re: Blocking port 25 outbound Scott Genung (Aug 22)
- Re: Blocking port 25 outbound Matthew Keller (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Sinatra (Aug 22)
- Re: Blocking port 25 outbound John Kristoff (Aug 22)
(Thread continues...)