nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)

From: Steven Champeon <schampeo () hesketh com>
Date: Wed, 12 Jan 2005 14:07:06 -0500

on Wed, Jan 12, 2005 at 12:41:44PM -0600, Adi Linden wrote:

0) for the love of God, Montresor, just block port 25 outbound already.


What is wrong with dedicating port 25 to server to server communication
with some means of authentication (DNS?) to ensure that it is indeed a
vaild mail server.


Nothing at all. That's more or less what I proposed, though I'd prefer
to see something TODAY, like the easily implemented rDNS fix, rather
than wait any longer for SPF/DomainKeys/etc. to go through a zillion
rounds of argument. As it stands, I reject a rather large percentage of
the spam delivery attempts here using generic rDNS as a basis. (Either
in the rDNS of the connecting host itself or in the HELO; the latter is
responsible for ~75%-80% of the rejections, assumed to be almost
entirely zombie-originated).


Mail clients should be using port 587 to submit messages to their
local MTA.


Agreed.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!
Previous By Date Next
Previous By Thread Next

Current thread: