Re: Blocking port 25 outbound

[Information Security <infosecurity () UTPA EDU>]

Randy Marchany wrote:

> > We are considering blocking all port 25 traffic outbound.  We have noted >
> various ISP5's and others moving to block port 25 outbound to reduce >
> spamming.  We wish to be good netizens.
>
> Oh my. So, you're going to ban all email from any machine on campus thereby
> forcing all email to be handled by a central group of email servers?

I'm not going to touch that one because I know a religious war when I
see one :-)  Let's just say
that the rest of this discussion only applies to people who think the
above is A Good Thing.
Anyone who doesn't approve doesn't have to implement it.

> This
> means that your email servers should have anti-spam and anti-virus filters.
Absolutely.  Why should only incoming mail have all the fun?  Although
I'ld just filter
viruses; anti-spam isn't reliable enough to block outgoing based on
content, but what
you *can* do is:

1) put in a quarantine based on content and alert someone to check, if
you're willing
    to allow your admins to look at outgoing mail.  (We generally try
to avoid mail solutions
    that require a man in the loop)
2) throttle outgoing mail based on volume and/or content  (taking care
for official mass mailings
    and listservs etc)
3) reject all outgoing mail that does not have an allowed sender domain,
which you should
   also have a policy to support.

> Unix systems that have their own mail servers won't be able to send outbound
> email.
actually you can if you redirect all outgoing port 25 to your central
mail server; it should
go through transparently but get the benefit of whichever from 1-3 above
you decide to implement.

> What about systems that will relay mail through your email servers to the
> outside world? How will you rate flow that?
Look around on the net.  Lots of solutions.

> I can see why ISPs would do that (commercial site) but I can't see a good
> reason for a university to do that. Why not train your sysadmins how to
> configure an email server correctly or provide some tools to do so?
I can't see why a university is different from an ISP.  In fact we
probably have more misbehaving
customers than the ISPs do (and they're often harder to track down).

And if we could train all the sysadmins to acceptable standards we
wouldn't be having this
discussion in the first place.  The problem is that idiot software like
IIS makes it easy for
anyone to be an 'admin' whether they are competant or not.  I've found
may IIS servers
running SMTP, FTP, etc etc that the system owner wasn't even aware of.
(That's why
we do campus-wide scans and follow up on what we find)  In other words many
'sysadmins' are actually users who've turned on a service by accident.

>         -r.
G