Educause Security Discussion mailing list archives

Re: Blocking port 25 outbound

From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Mon, 22 Aug 2005 13:15:28 -0700

Hi Joseph,

#We are considering blocking all port 25 traffic outbound.  We have noted
#various ISP's and others moving to block port 25 outbound to reduce
#"spamming".  We wish to be good "netizens"
#
#Have any of you done this already and what has been the push back of
#issues related to implementation on your campus?

This is a topic that came up during the Messaging Anti-Abuse Working Group
(MAAWG) meeting this past March. If you're interested, feel free to see

-- Dealing With Zombies and Trojans and Port 25 (abrief presentation)
   http://darkwing.uoregon.edu/~joe/port25.pdf

-- Spam Zombies and Inbound Flows to Compromised Customer Systems
   http://darkwing.uoregon.edu/~joe/zombies.pdf

More generally, you may also be interested in:

-- Email Effective Security Practices: 5 Concrete Areas to Scrutinize
   http://darkwing.uoregon.edu/~joe/emailsecurity/email-security.pdf
   (from the Spring 2004 Internet2 Member Meeting).

But coming back to the port 25 issue, some alternatives to blocking port
25 which you might want to consider include:

-- insure that you are monitoring/responsive to complaints received on
   your abuse@ and postmaster@ address, and you have current whois contact
   data for your network blocks, your domain(s) and your ASN; participate
   in programs such as AOL's spam complaint feedback loop program
   (see http://postmaster.info.aol.com/fbl/fblinfo.html ); use an
   intrusion detection system such as Snort or Bro

-- consider a desktop anti-virus/anti-spyware product (such as McAfee
   VirusScan Enterprise 8) which include default features intended to
   prevent mass mailing worms from sending mail and features to prevent
   IRC-based bot command and control channels

-- insure your campus rDNS does a clean job of "hinting" about what hosts
   should and shouldn't be emitting mail direct-to-MX
   ( http://enemieslist.com/ does a good job of codifying much of what's
   known about rDNS naming practice "in the wild" right now)

-- consider publishing SPF records for your site; see
   http://spf.pobox.com/whitepaper.pdf for more information about SPF

-- check http://www.senderbase.com/ for your netblocks and domain to
   see if there's anything anomalous going on that's not getting reported

Feel free to drop me a note if you have any questions.

Regards,

Joe St Sauver (joe () uoregon edu)
University of Oregon Computing Center

Current thread:

Blocking port 25 outbound Lazor, Joseph (Aug 22)
- <Possible follow-ups>
- Re: Blocking port 25 outbound Aaron Childs (Aug 22)
- Re: Blocking port 25 outbound Liliana Moisa (Aug 22)
- Re: Blocking port 25 outbound Randy Marchany (Aug 22)
- Re: Blocking port 25 outbound CHARLES MORROW-JONES (Aug 22)
- Re: Blocking port 25 outbound Michael Grinnell (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Halm (Aug 22)
- Re: Blocking port 25 outbound Joe St Sauver (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Trevor J Corbett (Aug 22)
- Re: Blocking port 25 outbound Christopher E. Cramer (Aug 22)
- Re: Blocking port 25 outbound Jason Richardson (Aug 22)
- Re: Blocking port 25 outbound Scott Genung (Aug 22)
- Re: Blocking port 25 outbound Matthew Keller (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Sinatra (Aug 22)
- Re: Blocking port 25 outbound John Kristoff (Aug 22)

(Thread continues...)