nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Outgoing SMTP Servers

From: Brian Dickson <brian.peter.dickson () gmail com>
Date: Tue, 25 Oct 2011 14:05:00 -0400
Owen wrote:


On Oct 25, 2011, at 3:29 AM, <Valdis.Kletnieks at vt.edu> wrote:


On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said:


If they are using someone else's mail server for outbound, how, exactly do you control
whether or not they use AUTH in the process?


1) You don't even really *care* if they do or not, because...

2) if some other site is running with an un-AUTHed open port 587, the miscreants will
find it and abuse it just like any other open mail relay. The community will
deal with it quick enough so you don't have to. And at that point, it's the
open mail relay's IP that ends up on the block lists, not your mail relay's IP.


But that applies to port 25 also, so, I'm not understanding the difference.


Other people running open port 587s tends to be quite self-correcting.



At this point, so do open port 25s.

Owen


I'll try to explain with text stick-diagrams...

The players are:
G - good user
B - botnet host
I - ISP
O - open relay
S - mail-submission relay
V - victim SMTP/mailbox host

It's all about how port-25 traffic containing SPAM gets to machine
"V". (Or not, which is the preferred situation.)

Possible routes include:
B.25 -> (I allows 25) -> O -> V (classic open relay) [SPAM]
B.25 -> (I allows 25) -> V (new mode, and what William Herrin is
talking about) [SPAM]
B.587 -> (I !allow 25) -> V (but that makes no sense - how does B
authenticate to the victim? She doesn't!!) [BLOCKED]
B.587 -> (I !allow 25) -> S (ditto - not an open unauthenticated
relay, only allows authenticated relaying!!!) [BLOCKED]

Meanwhile, we have:
G.587 -> (I !allow 25) -> S.g.587/.25 (mail submission gateway for G)
-> V.25 [NOT-SPAM && NOT-BLOCKED]

S.g is either G's enterprise mail server, or G's home mail server, or
G's ISP themselves, or some other S to which G can authenticate.
S.g receives on 587, and sends on 25, and is a generally reputable
port-25 host (whatever that means).

So, basically, not blocking 587 and blocking 25 removes all the
avenues for direct botnet spam.
Authenticating botnet sources become trackable on auth-hosts, and easy
to shut down.

Is there some path not listed above that could allow a spammer (botnet
host) behind the ISP to send email, without having a relay host to
which it can authenticate, that I'm not seeing?

Brian
Previous By Date Next
Previous By Thread Next

Current thread: