Re: port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]

[Douglas Otis <dotis () mail-abuse org>]

On Tue, 2004-09-21 at 14:22, Mikael Abrahamsson wrote:
> On Tue, 21 Sep 2004, Douglas Otis wrote:
>
> > As a prophylactic measure, Port 25 is blocked or transparently
> > intercepted to monitor the network via error logs.  For external mail
> > submissions, Port 587 would be recommended.
> >
> > There is an overview of this at:
> > http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt
>
> We want to receive abuse email and act on them, doesn't matter if
> customers are infected and sending spam or if they're infected and trying
> to remote-exploit web-servers or windows computers or what have you. We've
> been considering using netflow to detect end-users doing a lot of port 25
> activity towards a lot of random destinations, I find this much more
> net-friendly than to just block 25 and force them to use our smarthost
> (also stops our smarthost from being blacklisted by some overzealous
> blacklist-admins).

Cisco offers a Content Services Gateway that will allow audit of SMTP
error messages as example.  Just looking at user SMTP traffic will not
always be a good indication something nefarious is happening.  The
Wack-a-Mole game that results may clobber your good customers perhaps
once too often.  Tracking the reply codes for things like 550,1,3 and
filter for results greater than 50 or so should alert you to something
bad is happening, or that they are having a hard time typing addresses.
: )   

> Starting to block just means you will have to block more and more all the 
> time. Port 135-139 and 445 will be practially unusable on the network for 
> a long time (some users complain about this).
>
> I was under the impression that most blacklists would have a time-out 
> period when there was no more activity from this certain IP, it would be 
> removed from the blacklist. Is this not the case?

Hard to know how the average black-listing service ages their data. 
Some IP addresses cycle over large periods of time.  Some segments were
so bad, a few providers enter them using BGP into a router to conserve
network resources.  That entry may live for decades and be very
difficult to correct.

> Also, having hundreds of blacklists as per your email seems like a very 
> silly idea? I can understand 3-5, but hundreds?

I was not recommending that you post to blacklisting services, but
rather you will end up dealing with these services in an effort to allow
the address to once again reliably send mail should your customer expect
that ability.  

-Doug