Outgoing SMTP Servers

Brian Dickson brian.peter.dickson at gmail.com
Tue Oct 25 18:05:00 UTC 2011


Owen wrote:

>On Oct 25, 2011, at 3:29 AM, <Valdis.Kletnieks at vt.edu> wrote:
>
>> On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said:
>>
>>> If they are using someone else's mail server for outbound, how, exactly do you control
>>> whether or not they use AUTH in the process?
>>
>> 1) You don't even really *care* if they do or not, because...
>>
>> 2) if some other site is running with an un-AUTHed open port 587, the miscreants will
>> find it and abuse it just like any other open mail relay. The community will
>> deal with it quick enough so you don't have to. And at that point, it's the
>> open mail relay's IP that ends up on the block lists, not your mail relay's IP.
>>
>But that applies to port 25 also, so, I'm not understanding the difference.
>
>> Other people running open port 587s tends to be quite self-correcting.
>>
>
>At this point, so do open port 25s.
>
>Owen

I'll try to explain with text stick-diagrams...

The players are:
G - good user
B - botnet host
I - ISP
O - open relay
S - mail-submission relay
V - victim SMTP/mailbox host

It's all about how port-25 traffic containing SPAM gets to machine
"V". (Or not, which is the preferred situation.)

Possible routes include:
B.25 -> (I allows 25) -> O -> V (classic open relay) [SPAM]
B.25 -> (I allows 25) -> V (new mode, and what William Herrin is
talking about) [SPAM]
B.587 -> (I !allow 25) -> V (but that makes no sense - how does B
authenticate to the victim? She doesn't!!) [BLOCKED]
B.587 -> (I !allow 25) -> S (ditto - not an open unauthenticated
relay, only allows authenticated relaying!!!) [BLOCKED]

Meanwhile, we have:
G.587 -> (I !allow 25) -> S.g.587/.25 (mail submission gateway for G)
-> V.25 [NOT-SPAM && NOT-BLOCKED]

S.g is either G's enterprise mail server, or G's home mail server, or
G's ISP themselves, or some other S to which G can authenticate.
S.g receives on 587, and sends on 25, and is a generally reputable
port-25 host (whatever that means).

So, basically, not blocking 587 and blocking 25 removes all the
avenues for direct botnet spam.
Authenticating botnet sources become trackable on auth-hosts, and easy
to shut down.

Is there some path not listed above that could allow a spammer (botnet
host) behind the ISP to send email, without having a relay host to
which it can authenticate, that I'm not seeing?

Brian




More information about the NANOG mailing list