nanog mailing list archives

Re: ingress SMTP

From: Mark Andrews <marka () isc org>
Date: Fri, 5 Sep 2008 00:28:40 +1000 (EST)

In article <48BFE61F.8040509 () restontech com> you write:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Bonomi wrote:

One small data-point -- on a personal vanity domain, approximately 2/3 of 
all the spam (circa 15k junk emails/month) was 'direct to inbound MX' 
transmissions.  The vast majority of this is coming from end-user machines 
outside of North America.


This confirms the limited data I have. I configure my edge firewall (pf)
to drop anything to/from the Spamhaus DROP list, as well as sendmail to
use their XBL. The DROP list seems like it blocks mostly MX lookups
(nice to see the blocking of mail start so early in the process!), so it
is hard to say how many SMTP connections never happen (remote server/bot
does not know where to connect). The XBL list, which is mostly
residential IPs around the world, seems to be the single most effective
technique in blocking incoming traffic-- on port 25. Obviously, these
connections are coming from ISPs that do *not* block egress TCP 25.


        You do realise that there a mail clients that check MX
        records *before* submitting email (or before on sending the
        email) so that typos get detected in the client before any
        email is sent from the client.

        But you would never see those false positives.  I know they
        exist because I've experienced them because I work from
        home and even though I tunnel email out via the office
        servers I prefer the typos to be caught locally.

        I doubt this will change your mind but it might stop someone
        else from making a bad decision to do what you are doing.

        Mark

Slightly off topic-- I found it quite easy to configure the DROP list to
work with pf (or is that the other way around?). I would be happy to
share the small Perl script that updates the pf table. When I configured
the DROP list on a free public wireless system I maintain, I was amazed
at how much egress traffic it blocked-- obviously rogue/bad/evil
webservers, IRC hosts, etc.

I wonder if anyone else is using it that way?

...
alec

- --
`____________
/ Alec Berry \______________________________
| Senior Partner and Director of Technology \
| PGP/GPG key 0xE8E9030F                    |
| http://alec.restontech.com/#PGP           |
|-------------------------------------------|
|             RestonTech, Ltd.              |
|        http://www.restontech.com/         |
|          Phone: (703) 234-2914            |
\___________________________________________/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIv+YdREO1P+jpAw8RAnWzAKDxOmneR6j6DBVyo5/CO1wRYngorQCgo9SJ
sArBQqQStX7zIuYK3qo1El0=
=C2FM
-----END PGP SIGNATURE-----

Current thread:

Re: ingress SMTP, (continued)
- Re: ingress SMTP Charles Wyble (Sep 03)
  - Why not go after bots? (was: ingress SMTP) Michael Thomas (Sep 03)
    - Re: Why not go after bots? Charles Wyble (Sep 03)
    - Re: Why not go after bots? (was: ingress SMTP) Suresh Ramasubramanian (Sep 03)
    - RE: Why not go after bots? (was: ingress SMTP) Frank Bulk (Sep 03)
- RE: ingress SMTP Skywing (Sep 03)
- Re: ingress SMTP *Hobbit* (Sep 03)
  - Re: ingress SMTP Steven Champeon (Sep 03)
- Re: ingress SMTP Robert Bonomi (Sep 03)
  - Re: ingress SMTP Alec Berry (Sep 04)
    - Re: ingress SMTP Mark Andrews (Sep 04)
    - Re: ingress SMTP Alec Berry (Sep 04)
- Re: ingress SMTP matthew (Sep 03)
  - RE: ingress SMTP Justin D. Scott (Sep 03)
- Re: ingress SMTP matthew (Sep 03)
- ingress SMTP Keith Medcalf (Sep 03)
  - Re: ingress SMTP Mark Foster (Sep 03)
    - Re: ingress SMTP Jeff Kinz (Sep 04)
    - Re: ingress SMTP Mark Foster (Sep 04)
    - Re: ingress SMTP Jeff Kinz (Sep 04)
    - Re: ingress SMTP Simon Waters (Sep 05)

(Thread continues...)