I really am struggling to understand this - talking about only outbound 25/tcp here. Honest, I'm not taking the proverbial so please bear with me. My take: Spammers will be using an app of some kind to spam, not native software. So I expect that this will be making all of the connections, whether to get a list of addresses + payload to relay ( on any port the remote server is istening on ), or to send. You do not need an authenticated cert to talk SSL/TLS to a mail server - or at least none I've ever come across so far, so a self signed example.com will do just fine. So the app just needs to use / generate one. So what's the difference? On Wed, 2014-11-05 at 15:26 +1300, Mark Foster wrote:
Blocking outbound port 25 blocks the vast majority of non authenticated smtp. The remainder being authenticated (or channelled via the same service provider, who can trace you by your IP, dynamic or not), provides some accountability and makes spam much easier to trace... acknowledging that much spam comes from compromised machines on residential grade connectivity (on port 25).
Blocking port 25 outbound (with an opt out option) makes sense if you can't quickly deal with offenders on your network (as often seems to be the case with big players). This doesnt the provide those players with an excuse to under-resource abuse@ (as the remaining spam is finding another way out) but this does seem to happen regardless... so its not even close to a silver bullet but it does helo more than hinder.
Mark.
Sent from a mobile device.
-------- Original message -------- From: Steve Holdoway Date:05/11/2014 14:56 (GMT+12:00) To: Peter Lambrechtsen Cc: nznog Subject: Re: [nznog] UFB 1 gig plans for retail and impact they have
On Wed, 2014-11-05 at 14:14 +1300, Peter Lambrechtsen wrote:
Have to say that blocking inbound port 25 and 53 is highly recommended for all RSPs. Plus blocking outbound port 25 to only SMTP servers you run if you wanted a sense of if customers are using their connections for mass spamming. With an opt out of course. Given that mail servers also listen on 587 ( thanks billg ) and 465, isn't blocking just 25/tcp just a bit pointless?
Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa