Outbound mail filtering on large mail / web server farms - just an idea or two that I have

Michael Loftis mloftis at wgops.com
Sun Nov 20 18:28:29 UTC 2005




--On November 20, 2005 8:48:08 PM +0530 Suresh Ramasubramanian 
<ops.lists at gmail.com> wrote:

> I originally wrote this lot below as boilerplate for large webhosting
> providers that find themselves with several racks full of pizzabox
> colos running a web control panel like ensim or cpanel so that the
> people actually operating the colos may not have too much clue .. and
> these places are typically riddled with lots and lots of exploitable
> cgi / php scripts that are broken into and used to send spam using
> injection / xss etc holes ..
>
> Some of the ideas here might well apply to what I was talking about in
> this thread as well - the two kind of tie in together

I've considered a similar setup.  Requiring all mgd servers to always use 
their local mailers, then at the nearby edge, NATing all outbound SMTP port 
25 traffic to a set of mail relays setup to do greylisting, rate limiting, 
and possibly IDENT checks to make (reasonable more) sure that it's the mail 
server user talking and not some random software.

Note that I've done none of it...the idea's a bit insane, but, it would 
definitely make it easier to spot and treat the problems, the only big 
black eye here is AOL who would probably rate limit the outbound servers 
quite often, which they already do to our normal mail systems even when 
things are going well, again, because of forwards.  I'd imagine there's a 
way I could get just the (AOL) forwarded mail pushed to a separate machine 
with our current (older version) Postfix setup but I haven't actually 
looked into it.  We use SQL based tables for everything in order to make 
automation much simpler on our end.

I hope this all wasn't too non-operational, it seems relevant to me, so 
hopefully it's not noise.



More information about the NANOG mailing list