nanog mailing list archives
Re: Blocking MX query
From: William Herrin <bill () herrin us>
Date: Tue, 4 Sep 2012 15:07:11 -0400
On Tue, Sep 4, 2012 at 11:57 AM, Jay Ashworth <jra () baylink com> wrote:
What sort of an mta do you run on your laptop that doesnt support smtp auth?SMTP Auth to *arbitrary remote domains' MX servers*? Am I missing something, or are you?
You are. You should be doing SMTP Auth to *your* email server on which you have an authorized account and then letting it relay your messages to the world.
Okay, fair enough. There are no good users *expecting* to send email direct to a remote port 25 from behind a NAT. There are some good users who occasionally run slightly sloppy configurations which might attempt spurious port 25 connections.I do, in fact, expect that. You're alleging that's a bad practice.
Yes, I am. Here's a few others. http://security.comcast.net/get-help/spam.aspx "Port 25 Blocking Port 25 is conduit on a computer that spammers can take control of and use to send their spam - often without the user ever knowing his/her computer has been "hijacked". Comcast works with our customers to block access to Port 25 and protect their PC. Comcast recommends that our customers establish a more secure email configuration on their PC - Port 587 - We have made it easy by creating a one-click fix that automatically configures your computers to this safer PC configuration." http://qwest.centurylink.com/internethelp/email-troubleshooting-port25.html "CenturyLink filters port 25 to reduce the spread of email viruses and spam (unsolicited email). Filtering port 25 has become the industry standard to reduce the spread of email viruses and spam. These email viruses allow malicious software to control infected computers. These viruses direct the infected machines to send email viruses and spam through port 25. " http://cbl.abuseat.org/nat.html "The simplest and most effective way to stop this is to configure your NAT to prohibit connections to the Internet on port 25 except from real mail servers. Not only does this stop all of these viruses and spams dead in their tracks, the NAT logs will immediately tell you the LAN address of the infected machine. " http://tools.ietf.org/html/rfc5068 "A proactive technique used by some providers is to block all use of port 25 SMTP for mail that is being sent outbound, or to automatically redirect this traffic through a local SMTP proxy, except for hosts that are explicitly authorized." http://www.microsoft.com/security/sir/strategy/default.aspx#!section_2_4 "Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions." Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Blocking MX query, (continued)
- Re: Blocking MX query Ray Wong (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Jay Ashworth (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query Masataka Ohta (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query valdis . kletnieks (Sep 04)
- Re: Blocking MX query Masataka Ohta (Sep 04)
- Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
- Re: Blocking MX query David Barak (Sep 05)
- Re: Blocking MX query William Herrin (Sep 04)
- Re: Blocking MX query Jay Ashworth (Sep 04)
- Re: Blocking MX query George Herbert (Sep 04)
- Re: Blocking MX query Ibrahim (Sep 04)
- Re: Blocking MX query William Herrin (Sep 04)
- Re: Blocking MX query Jay Ashworth (Sep 04)
- Re: Blocking MX query William Herrin (Sep 04)
- Re: Blocking MX query Michael Thomas (Sep 04)