Re: Spamcop issue

[Dennis Dayman <dennis () thenose net>]

+1 that. block port 25 from desktop network. If users have a need to  
access outside mail servers to send though, make them use port 587

-Dennis

On Sep 12, 2008, at September 12,8:28 AM, Landriault, Yan wrote:

> A good practice would be to Firewall Outbound SMTP connections...
> Your clients should probably go through your mail server to send  
> mail, so why let SMTP outbound open?
> This will also prevent your public IP/subnet from getting  
> blacklisted because some road warrior got a spambot installed  
> somewhere...
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ] On Behalf Of David Gillett
> Sent: 11 septembre 2008 12:46
> To: 'marco'; security-basics () securityfocus com
> Subject: RE: Spamcop issue
>
>  Unless things have changed drastically lately, SpamCop doesn't
> do anything to block spam sources, it just makes it easy for
> recipients to complain to the folks responsible.
>  And if you know you're being a spam source, and are choosing not
> to clean it up at this time, then receiving complaints submitted
> via SpamCop is "Doing the Right Thing"....
>
>  I recently caught a spambot on our network.  One of the things
> I watch for is ICMP Unreachables, and I noticed that one of our
> stations was getting some every few minutes from a couple of
> servers in Hong Kong.
>  Since the ICMP packet contains the headers of the packet that
> prompted it, I was able to see that these servers were rejecting
> SMTP connection attempts.  That's kind of odd, since internal
> email clients should be sending to our enterprise SMTP server....
>  Time to crank up my sniffer and see what else this station is
> doing.  Hmmm, HTTP connection over some high port number, downloading
> some several kilobyte binary thing, then SMTP connections to about
> fifty remote servers....
>  The two in Hong Kong are refusing the connection.  Many of the
> others are accepting the TCP connect, but at the SMTP level are
> saying "We won't accept messages from you."  Oh, there's one that's
> accepting a message:  yadda yadda VIAGRA yadda....
>  Block outbound SMTP directly from that machine until Tech Services
> reports that it has been cleaned.  Oh yeah, and block/log that "HTTP"
> connection, too, in case the same entity has compromised other
> machines on our network.
>
> David Gillett
>
>
> > -----Original Message-----
> > From: marco [mailto:marco () spaz org]
> > Sent: Wednesday, September 10, 2008 4:29 PM
> > To: security-basics () securityfocus com
> > Subject: Spamcop issue
> >
> > Anyone dealt with trying to get whitelisted with them.
> > You are allowed a freebie, but If the spam problem continues,
> > you don't get a second shot.
> >
> > Or better yet, any good tools out there to get rid of spam
> > bugs and/or trojans...or at least scan a workstation to see
> > if there is one or similar Or maybe good tips on how to see
> > if someone is using a particular user's account or outgoing
> > domain to send out spams? Etc...
> >
> > I have some ideas, but can't think straight right now, too
> > busy with other projects.  Sure I can use multiple mail
> > gateways for now until I locate the issue...but ya know..
> >
> > thanks
> >
> > -m
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > > >
> > ----------------------------------((((((((((((((((((((0)))))))
> > ))))))))))))))
> > > > > ))))))))))
> > > > >
> > > > > " He who gives up liberty for security ends up with neither". -
> > > > > Benjamin
> > > > > Franklin*
> > > > >
> > > > >
> > > > >
> > > > > "....i can't stop you, but maybe the earth can....."
> > > > > -anonymous activist
> > > > >
> > > > >
> > > > > "My other computer is your Windows box"
> > > > >
> > > > >
> > > > > "......we ArE frequency generators...."
> > > > >
> > > > >
> > > > > " If liberty means anything at all, it means the right to tell
> > > > > people what they do not want to hear. " - George Orwell
> > > > >
> > > > >  "......in C we will see what we see......."
> > > > > -my very first Programming teacher, Claude Comair
> > > > >
> > > > > ³.....Without some risks, there is no liberty, only
> > > > > subservience....²
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "....the last time we mixed religion & politics, people
> > were burned
> > > > > at the stake..."
> > > > >
> > > > >
> > > > > > > -----
> > > > > > > techNotics
> > > > > > > techNotics.info
> > > > > > > noizey mac technology
> > > > > > > 510.684.1550
> > > > > > > -----
> > > > > > > holdfastrecordings.com
> > > > > > > missgawker.org