Re: [nznog] UFB 1 gig plans for retail and impact they have
Blocking outbound port 25 blocks the vast majority of non authenticated smtp. The remainder being authenticated (or channelled via the same service provider, who can trace you by your IP, dynamic or not), provides some accountability and makes spam much easier to trace... acknowledging that much spam comes from compromised machines on residential grade connectivity (on port 25).
Blocking port 25 outbound (with an opt out option) makes sense if you can't quickly deal with offenders on your network (as often seems to be the case with big players). This doesnt the provide those players with an excuse to under-resource abuse@ (as the remaining spam is finding another way out) but this does seem to happen regardless... so its not even close to a silver bullet but it does helo more than hinder.
Mark.
Sent from a mobile device.
-------- Original message --------
From: Steve Holdoway
Have to say that blocking inbound port 25 and 53 is highly recommended for all RSPs. Plus blocking outbound port 25 to only SMTP servers you run if you wanted a sense of if customers are using their connections for mass spamming. With an opt out of course. Given that mail servers also listen on 587 ( thanks billg ) and 465, isn't blocking just 25/tcp just a bit pointless?
Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Plus I am happy to email you off list the hit counters on the BNGs with the number of times these filters get hit externally. It’s not a trivial number. Good practice as a RSP to prevent mis-configured or malware talking UPNP to your router and opening yourself up as a mail relay from doing bad things on your network. Plus if you block port 25 outbound and only direct it to your own internal SMTP servers and have an opt-out group to open it up it seems a little odd to not block in inbound too. And there are a non-trivial number of old routers out there that have port 53 listening externally. From: Mark Foster [mailto:blakjak(a)blakjak.net] Sent: Wednesday, 5 November 2014 3:26 p.m. To: Steve Holdoway; Peter Lambrechtsen Cc: nznog Subject: Re: [nznog] UFB 1 gig plans for retail and impact they have Blocking outbound port 25 blocks the vast majority of non authenticated smtp. The remainder being authenticated (or channelled via the same service provider, who can trace you by your IP, dynamic or not), provides some accountability and makes spam much easier to trace... acknowledging that much spam comes from compromised machines on residential grade connectivity (on port 25). Blocking port 25 outbound (with an opt out option) makes sense if you can't quickly deal with offenders on your network (as often seems to be the case with big players). This doesnt the provide those players with an excuse to under-resource abuse@ (as the remaining spam is finding another way out) but this does seem to happen regardless... so its not even close to a silver bullet but it does helo more than hinder. Mark. Sent from a mobile device. -------- Original message -------- From: Steve Holdoway Date:05/11/2014 14:56 (GMT+12:00) To: Peter Lambrechtsen Cc: nznog Subject: Re: [nznog] UFB 1 gig plans for retail and impact they have On Wed, 2014-11-05 at 14:14 +1300, Peter Lambrechtsen wrote:
Have to say that blocking inbound port 25 and 53 is highly recommended for all RSPs. Plus blocking outbound port 25 to only SMTP servers you run if you wanted a sense of if customers are using their connections for mass spamming. With an opt out of course. Given that mail servers also listen on 587 ( thanks billg ) and 465, isn't blocking just 25/tcp just a bit pointless?
Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
I really am struggling to understand this - talking about only outbound 25/tcp here. Honest, I'm not taking the proverbial so please bear with me. My take: Spammers will be using an app of some kind to spam, not native software. So I expect that this will be making all of the connections, whether to get a list of addresses + payload to relay ( on any port the remote server is istening on ), or to send. You do not need an authenticated cert to talk SSL/TLS to a mail server - or at least none I've ever come across so far, so a self signed example.com will do just fine. So the app just needs to use / generate one. So what's the difference? On Wed, 2014-11-05 at 15:26 +1300, Mark Foster wrote:
Blocking outbound port 25 blocks the vast majority of non authenticated smtp. The remainder being authenticated (or channelled via the same service provider, who can trace you by your IP, dynamic or not), provides some accountability and makes spam much easier to trace... acknowledging that much spam comes from compromised machines on residential grade connectivity (on port 25).
Blocking port 25 outbound (with an opt out option) makes sense if you can't quickly deal with offenders on your network (as often seems to be the case with big players). This doesnt the provide those players with an excuse to under-resource abuse@ (as the remaining spam is finding another way out) but this does seem to happen regardless... so its not even close to a silver bullet but it does helo more than hinder.
Mark.
Sent from a mobile device.
-------- Original message -------- From: Steve Holdoway Date:05/11/2014 14:56 (GMT+12:00) To: Peter Lambrechtsen Cc: nznog Subject: Re: [nznog] UFB 1 gig plans for retail and impact they have
On Wed, 2014-11-05 at 14:14 +1300, Peter Lambrechtsen wrote:
Have to say that blocking inbound port 25 and 53 is highly recommended for all RSPs. Plus blocking outbound port 25 to only SMTP servers you run if you wanted a sense of if customers are using their connections for mass spamming. With an opt out of course. Given that mail servers also listen on 587 ( thanks billg ) and 465, isn't blocking just 25/tcp just a bit pointless?
Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa
participants (3)
-
Mark Foster -
Peter Lambrechtsen -
Steve Holdoway