Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
Leigh Porter
leigh.porter at ukbroadband.com
Mon Jun 18 16:49:02 UTC 2007
Suresh Ramasubramanian wrote:
>
> On 6/18/07, Jack Bates <jbates at brightok.net> wrote:
>
>> Joe also pointed out the biggest problem with blocking port 25; it
>> pushes the
>> abuse towards the smarthosts. This creates a lot of issues.
>> Smarthosts have to
>
> So .. great. You have a huge spam problem that flew under your radar
> as it was spread across multiple /24s or far larger netblocks, now
> concentrated within far fewer servers that are part of the same
> cluster. That kind of makes your job a bit easier then .. half full
> glass v/s half empty glass, and all that.
>
>> I'd rather monitor and filter traffic patterns on port 25 (and the
>> various other
>> ports that are also often spewing other things) than block it. It's
>> not unusual
>> to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even
>> tcp/1025.
>
> [...]
>
> Which is what a lot of the kit Sean posted about does ..
>
> srs
We filter ALL udp/135 and tcp/445 or even tcp/1025 towards and from the
Internet. Port 25 is only allowed to go through the smarthosts and other
whitelisted mail servers.
We have never had any complaints about the 135/445/1025 blocking and
very few about the port25 stuff. Spambots are getting clever and they
now use configured SMTP relays in thunderbird/outlook etc so the mail
gateways get quite a bit of traffic. But we have lots of them
(Ironports) behind load balancers so theres little problem there.
--
Leigh Porter
UK Broadband
More information about the NANOG
mailing list