nanog mailing list archives

Re: Outgoing SMTP Servers

From: Jack Bates <jbates () brightok net>
Date: Mon, 31 Oct 2011 13:32:00 -0500



On 10/31/2011 11:48 AM, Michael Thomas wrote:

I've often wondered the same thing as to what the resistance is to outbound
filtering is. I can think of a few possibilities:

1) cost of filtering
2) false positives
3) really _not_ wanting to know about abuse


On the other hand, you have

1) cost of tracking
2) support costs handling infections

It's really an range from "easiest and cost effective" to "doing itright". I personally run hybrid. There are areas that are nearimpossible to track; this is especially true for wide areawireless/cellular/NAT areas. I always recommend my customers blocktcp/25, even to the local smarthosts. Use 587 and authentication tosupport better tracking. It's a hack, though, as it doesn't stop otherabuses and it won't fix the underlying root cause.

In locations that support ease of tracking, using a mixture of feedbackloops with proper support is usually the proper way. This allowsnotification and fixing of the root cause. In our case, we recommendquick suspensions to demonstrate to customer how seriously we take theproblem, and then we point out that the sending of spam/scanning is onlythe easier to detect symptoms. It is unlikely we'll notice if they havea keylogger as well.

Finally, when architecture allows it, dynamic profiles with ACL supportallowing a default of tcp/25 blocked, and easy to find and click removalof an account from tcp/25 blocking, combined with ACL monitoring,flagging, and notification by support staff is probably the ultimate inideal scenarios. Combined with a % of traffic mirrored into a tunnel toan IDS which monitors for things such as network scanning or knownsignatures outbound, it makes for a very effective mechanism to assistcustomers in protecting themselves.

I'm personally curious how much traffic is necessary to mirror toproperly detect problems. ie, can you get away with 1% or less (GE foreach 100GE-200GE of traffic) or if you must cover as much as 10%+. Mytraffic load is small enough that it doesn't matter, but it's alwaysnice to know how well something might scale.



Jack

Current thread:

Re: Outgoing SMTP Servers, (continued)
- - - Re: Outgoing SMTP Servers Dave CROCKER (Oct 27)
    - Re: Outgoing SMTP Servers William Herrin (Oct 27)
    - Re: Outgoing SMTP Servers Joel jaeggli (Oct 27)
    - Re: Outgoing SMTP Servers William Herrin (Oct 28)
    - Re: Outgoing SMTP Servers -Hammer- (Oct 28)
    - Re: Outgoing SMTP Servers Jay Ashworth (Oct 28)
    - Re: Outgoing SMTP Servers Dave CROCKER (Oct 30)
    - Re: Outgoing SMTP Servers Brian Johnson (Oct 30)
    - Re: Outgoing SMTP Servers Dave CROCKER (Oct 30)
    - Re: Outgoing SMTP Servers Michael Thomas (Oct 31)
    - Re: Outgoing SMTP Servers Jack Bates (Oct 31)
    - Re: Outgoing SMTP Servers Brian Johnson (Oct 31)
    - Re: Outgoing SMTP Servers Jack Bates (Oct 31)
    - Re: Outgoing SMTP Servers Robert Bonomi (Oct 31)
    - Re: Outgoing SMTP Servers Brian Johnson (Oct 31)
    - RE: Outgoing SMTP Servers Keith Medcalf (Oct 31)
    - Message not available
    - Re: Outgoing SMTP Servers William Herrin (Oct 30)
    - Re: Outgoing SMTP Servers Valdis . Kletnieks (Oct 28)
    - RE: Outgoing SMTP Servers Brian Johnson (Oct 28)
    - Message not available
    - RE: Outgoing SMTP Servers Brian Johnson (Oct 28)
    - Re: Outgoing SMTP Servers Owen DeLong (Oct 28)

(Thread continues...)