Port 25 filters - how many here deploy them bidirectionally?

Joe Rhett jrhett at meer.net
Wed Jan 12 00:41:14 UTC 2005

On Sun, Jan 09, 2005 at 07:55:17PM +0530, Suresh Ramasubramanian wrote:
> 1) SYN - Worm emails / spam goes out from another provider, with the
> source address spoofed to be the IP of a trojaned PC
> 2) ACK - Receiving network sends an ACK back to the forged source IP,
> and the trojan on that IP proxies this back to the actual spam source.
> 3) SYNACK - sent by the actual spam source to your network.
Only if you are only filtering SYNs.  If you block ALL port 25 traffic,
this won't work.

> Applying port 25 filters both ways (inbound and outbound to your
> dialup pool, instead of just outbound port 25 filtering) would help in
> such a situation.
Inbound 25 filtering has nothing to do with the situation listed above.

Or are you using inbound and outbound to review to packet flow on the
interface rather than session flow?  Must be confusing Cisco terms with
actual networking again ;-)
Joe Rhett
Senior Geek

More information about the NANOG mailing list