Re: Spamhaus for Extra Mail Server Security

[Rich Kulawiec <rsk () gsp org>]

On Sat, Sep 12, 2009 at 02:42:41AM +0300, Gadi Evron wrote:
> I cannot IP filter an SMTP server to be available only from certain 
> locations -- as if I even wanted to limit myself in such a way. 

It's long since become a best practice to do exactly that: to firewall
out connections from any network allocation (whether by entity or
country) that recipients don't need/want to receive mail from.
(Or more efficiently in some cases, to only permit connections from
those allocations where mail is necessary/desirable.)  These are
high-efficiency, low-cost anti-email-abuse techniques that work
beautifully *when properly used* -- and that, of course, is the trick.

For example, on various mail servers I'm running, I'm using a
combination of 3261 network allocations and 26 country allocations
to refuse connections (with different ones used on different
servers depending on their traffic patterns).  Given that the
occurence rate of non-abusive connections from those ranges from
"once every several years" to "never", this is a clearly superior method
of defense in terms of resources, cost, efficiency, FP, FN, resistance
to attack, resistance to gaming, etc.

Incidentally, *everyone* should be using the Spamhaus DROP list
for IP filtering, preferably at the network perimeter.  But if
that's not possible, then in the firewall (onboard or elsewhere)
in front of mail server(s) -- and blocking bidirectionally.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.