nanog mailing list archives
Re: ingress SMTP
From: Robert Bonomi <bonomi () mail r-bonomi com>
Date: Wed, 3 Sep 2008 16:41:18 -0500 (CDT)
From nanog-bounces () nanog org Wed Sep 3 11:58:37 2008 From: Alec Berry <alec.berry () restontech com> Subject: Re: ingress SMTP Michael Thomas wrote:I think this all vastly underrates the agility of the bad guys. So lots of ISP's have blocked port 25. Has it made any appreciable difference? Not that I can tell. If you block port 25, they'll just use another port and a relay if necessary.I'm pretty sure it has, although without aggregate stats from various ISPs it is hard to tell. Since mail transport is exclusively on port 25 (as opposed to mail submission), a bot cannot just hop to another port.
One small data-point -- on a personal vanity domain, approximately 2/3 of all the spam (circa 15k junk emails/month) was 'direct to inbound MX' transmissions. The vast majority of this is coming from end-user machines outside of North America. China, India Thailand, Brazil, Poland, "CZ", and a couple of providers each in Germany and France, appear to be the most prevalent sources _I_ see. The message count would be a fair bit higher, but I have several overseas networks (4 in DE, 2 in TW, 1 in CZ) plus pieces of 2 domestic networks (*da.uu.net, *pub-ip.psi.net) blocked at the firewall. Also firewalled are a couple of dozen IP addresses that have -each- made over 10k attempts to _relay_ mail through me. I'm seeing a significant amount of 'Received' header forgery, apparently intended to fool "dumb" header parsers into believing the direct-to-MX transmission _did_ go through the server associated with the domain used in the '"from: ", "from ", and "Reply-to: " lines. The good news is that only a _really_ dumb parser would be fooled by most of what I'm seeing. :)
Current thread:
- Re: ingress SMTP, (continued)
- Re: ingress SMTP Chris Boyd (Sep 03)
- Re: ingress SMTP Edward B. DREGER (Sep 07)
- Re: ingress SMTP Charles Wyble (Sep 03)
- Why not go after bots? (was: ingress SMTP) Michael Thomas (Sep 03)
- Re: Why not go after bots? Charles Wyble (Sep 03)
- Re: Why not go after bots? (was: ingress SMTP) Suresh Ramasubramanian (Sep 03)
- RE: Why not go after bots? (was: ingress SMTP) Frank Bulk (Sep 03)
- Why not go after bots? (was: ingress SMTP) Michael Thomas (Sep 03)
- RE: ingress SMTP Skywing (Sep 03)
- Re: ingress SMTP *Hobbit* (Sep 03)
- Re: ingress SMTP Steven Champeon (Sep 03)
- Re: ingress SMTP Robert Bonomi (Sep 03)
- Re: ingress SMTP Alec Berry (Sep 04)
- Re: ingress SMTP Mark Andrews (Sep 04)
- Re: ingress SMTP Alec Berry (Sep 04)
- Re: ingress SMTP Alec Berry (Sep 04)
- RE: ingress SMTP Justin D. Scott (Sep 03)
- Re: ingress SMTP Mark Foster (Sep 03)
- Re: ingress SMTP Jeff Kinz (Sep 04)
- Re: ingress SMTP Mark Foster (Sep 04)