RE: Lazy network operators

["Eric Krichbaum" <eric.krichbaum () citynet net>]

We do that here, and I agree it should be a standard practice from the
dialup/broadband/etc. provider standpoint.  Aren't some of the newer
malware/viri using the SMTP setting out of the email client to send
through now to get around that anyway?  It really shouldn't matter
though.  I'd rather be: a.) blocking the port 25 traffic and b.) virus
scanning the outbound mail, than dealing with the thousands of "Your
user tried to hack my system.  I'm calling the FBI on you." messages.

Eric

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
John Curran
Sent: Tuesday, April 13, 2004 3:53 PM
To: Stephen J. Wilcox
Cc: nanog () merit edu
Subject: Re: Lazy network operators


At 8:39 PM +0100 4/13/04, Stephen J. Wilcox wrote:
> Most of the spam I'm seeing comes directly from end user hosts that 
> have either an open proxy on them or some kind of malware with its own 
> SMTP engine designed to send out junk.. in this model the only port 25 
> traffic is that from the end host coming outwards, I believe you're 
> suggestion is to filter port 25 towards hosts.
>
> Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP 
> relay) will not stop the emails. It is possible to extend this and 
> implement some sort of statistical sanity checking on the mail being 
> relayed (eg alarm/deny mail once it exceeds X/minute/host) which is
potentially a workable solution.

Steve,
 
   I'm very much suggesting blocking outward to the Internet port 25 
   traffic, except from configured mail relays for that end-user site.

   Those hosts which have MSTP malware are stopped cold as a result.

/John