Re: AOL email concerns for nodak.edu (fwd)

[Paul Russell <prussell () ND EDU>]

On 4/28/2005 9:01 AM, Dick Jacobson wrote:

> I know we send our share for garbage from compromised computers, but most
> of the complaints regarding thos incidents include timestamps or email
> headers so they can be tracked.  This email simply says we are being
> naughty (without any documentation) and they are going block us if we do
> not clean up our act.

You should consider taking the following steps:

1. Block outbound SMTP (port 25) connection requests to external IP
   addresses from all but known mail servers in your network; and,
2. Implement mandatory SMTP authentication.

There is, after all, no legitimate reason for Joe Student's personal
computer to spew 1,000 messages per hour, either via a direct-to-MX
connection to an external site, or through your mail server. These
steps will, at least for now, prevent zombies in your network from
spewing garbage at the rest of us. After you've taken these steps, you
may want to set up a script to periodically scan your mail server logs
for local systems that are encountering unusally high numbers of SMTP
rejects. The output can help you identify infected and/or compromised
systems in your network.

Before we took these steps, we were frequently inundated with legitimate
spam complaints from AOL. These changes reduced the flood to a trickle.

--
Paul Russell
Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.