bonomi at mail.r-bonomi.com
Wed Sep 3 16:41:18 CDT 2008
> From nanog-bounces at nanog.org Wed Sep 3 11:58:37 2008
> From: Alec Berry <alec.berry at restontech.com>
> Subject: Re: ingress SMTP
> Michael Thomas wrote:
> > I think this all vastly underrates the agility of the bad guys. So
> > lots of ISP's have blocked port 25. Has it made any appreciable
> > difference? Not that I can tell. If you block port 25, they'll just
> > use another port and a relay if necessary.
> I'm pretty sure it has, although without aggregate stats from various
> ISPs it is hard to tell. Since mail transport is exclusively on port 25
> (as opposed to mail submission), a bot cannot just hop to another port.
One small data-point -- on a personal vanity domain, approximately 2/3 of
all the spam (circa 15k junk emails/month) was 'direct to inbound MX'
transmissions. The vast majority of this is coming from end-user machines
outside of North America. China, India Thailand, Brazil, Poland, "CZ", and
a couple of providers each in Germany and France, appear to be the most
prevalent sources _I_ see.
The message count would be a fair bit higher, but I have several overseas
networks (4 in DE, 2 in TW, 1 in CZ) plus pieces of 2 domestic networks
(*da.uu.net, *pub-ip.psi.net) blocked at the firewall. Also firewalled are
a couple of dozen IP addresses that have -each- made over 10k attempts
to _relay_ mail through me.
I'm seeing a significant amount of 'Received' header forgery, apparently
intended to fool "dumb" header parsers into believing the direct-to-MX
transmission _did_ go through the server associated with the domain used
in the '"from: ", "from ", and "Reply-to: " lines. The good news is that
only a _really_ dumb parser would be fooled by most of what I'm seeing. :)
More information about the NANOG