Re: Outbound SMTP

[Tim Cantin <tcantin () WELLESLEY EDU>]

Matt,



I would strongly suggest implementing that rule at your perimeter firewall!



We block all smtp traffic except to/from known hosts. So we allow our own
central mail servers of course, a handful of trusted local entities (i.e.
CS's mail server and several others), and just a few outside sites for
convenience on request (i.e. Comcast.net).



We never asked permission, we just did it. A handful of knowledgeable people
squawked, and we opened access for their particular needs.



Since then we haven't received a single complaint from the outside about
spam originating from our site.



In addition, since that rule went into effect we have also implemented Cisco
Clean Access for every desktop on campus (students, faculty, and staff
alike). We enforce Windows updates and anti-virus installed & updated. Yeh
it was a little expensive, but it literally eliminated viruses on user
desktops, a condition which was causing vast hours and hours of work from
our Helpdesk to assist users in cleaning up their computers. It was a
fantastic return on investment, though now our users have to try a little
harder to stay on the network - which not all of them are thrilled about.
IMHO they should've been doing this right along, of course. If you can't
afford a full implementation, consider phasing it in over time. We put our
residence halls on it one summer, and then the rest of the campus the next
summer thereby splitting the cost across two fiscal years.



Good luck!



-Tim



---

Tim Cantin, Senior Network Engineer

Wellesley College, IS/Technology Infrastructure Group

223 Simpson Hall East, 106 Central Street
Wellesley, Massachusetts 02481-8203
http://www.wellesley.edu/~tcantin/
<BLOCKED::http://www.wellesley.edu/~tcantin/>
phone: (781)283-3520 fax: (781)283-3682



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew
Sent: Friday, April 25, 2008 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Outbound SMTP



I am curious how many other schools block outbound SMTP, and if so from
which or all networks?



We currently still allow it; however, I see very few legit connections.
Usually once a week I find another student who has become malware infected,
and have to  shut them off until they can prove their computer is clean
(unfortunately we don't have a true NAC as budget does not allow).



The biggest problem is wireless users.  I can block MAC addresses, however
this ends up taking a lot of time from start to finish (by the time I login
to WCS, push the policy to all the controllers, document it, notify our
helpdesk team for the incoming phone call they will get, then all those
steps in reverse when the computer is cleaned).



I have been considering approaching management to just block all port 25
traffic.  My holdback is that I feel bad for anyone that has their own
domain somewhere and sends mail through it.  We do not allow students to
relay SMTP mail through our mail servers.



Thoughts?  Thanks for your input,



Matt



Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at  <http://www.fairmontstate.edu/> www.fairmontstate.edu