port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]

Mikael Abrahamsson swmike at swm.pp.se
Tue Sep 21 21:22:42 UTC 2004


On Tue, 21 Sep 2004, Douglas Otis wrote:

> As a prophylactic measure, Port 25 is blocked or transparently
> intercepted to monitor the network via error logs.  For external mail
> submissions, Port 587 would be recommended.
> 
> There is an overview of this at:
> http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt

We want to receive abuse email and act on them, doesn't matter if
customers are infected and sending spam or if they're infected and trying
to remote-exploit web-servers or windows computers or what have you. We've
been considering using netflow to detect end-users doing a lot of port 25
activity towards a lot of random destinations, I find this much more
net-friendly than to just block 25 and force them to use our smarthost
(also stops our smarthost from being blacklisted by some overzealous
blacklist-admins).

Starting to block just means you will have to block more and more all the 
time. Port 135-139 and 445 will be practially unusable on the network for 
a long time (some users complain about this).

I was under the impression that most blacklists would have a time-out 
period when there was no more activity from this certain IP, it would be 
removed from the blacklist. Is this not the case?

Also, having hundreds of blacklists as per your email seems like a very 
silly idea? I can understand 3-5, but hundreds?

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se





More information about the NANOG mailing list