ingress SMTP

Mark Andrews marka at isc.org
Thu Sep 4 09:28:40 CDT 2008


In article <48BFE61F.8040509 at restontech.com> you write:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Robert Bonomi wrote:
>
>> One small data-point -- on a personal vanity domain, approximately 2/3 of 
>> all the spam (circa 15k junk emails/month) was 'direct to inbound MX' 
>> transmissions.  The vast majority of this is coming from end-user machines 
>> outside of North America. 
>
>This confirms the limited data I have. I configure my edge firewall (pf)
>to drop anything to/from the Spamhaus DROP list, as well as sendmail to
>use their XBL. The DROP list seems like it blocks mostly MX lookups
>(nice to see the blocking of mail start so early in the process!), so it
>is hard to say how many SMTP connections never happen (remote server/bot
>does not know where to connect). The XBL list, which is mostly
>residential IPs around the world, seems to be the single most effective
>technique in blocking incoming traffic-- on port 25. Obviously, these
>connections are coming from ISPs that do *not* block egress TCP 25.

	You do realise that there a mail clients that check MX
	records *before* submitting email (or before on sending the
	email) so that typos get detected in the client before any
	email is sent from the client.

	But you would never see those false positives.  I know they
	exist because I've experienced them because I work from
	home and even though I tunnel email out via the office
	servers I prefer the typos to be caught locally.

	I doubt this will change your mind but it might stop someone
	else from making a bad decision to do what you are doing.

	Mark

>Slightly off topic-- I found it quite easy to configure the DROP list to
>work with pf (or is that the other way around?). I would be happy to
>share the small Perl script that updates the pf table. When I configured
>the DROP list on a free public wireless system I maintain, I was amazed
>at how much egress traffic it blocked-- obviously rogue/bad/evil
>webservers, IRC hosts, etc.
>
>I wonder if anyone else is using it that way?
>
>...
>alec
>
>- --
>`____________
>/ Alec Berry \______________________________
>| Senior Partner and Director of Technology \
>| PGP/GPG key 0xE8E9030F                    |
>| http://alec.restontech.com/#PGP           |
>|-------------------------------------------|
>|             RestonTech, Ltd.              |
>|        http://www.restontech.com/         |
>|          Phone: (703) 234-2914            |
>\___________________________________________/
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (MingW32)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFIv+YdREO1P+jpAw8RAnWzAKDxOmneR6j6DBVyo5/CO1wRYngorQCgo9SJ
>sArBQqQStX7zIuYK3qo1El0=
>=C2FM
>-----END PGP SIGNATURE-----
>






More information about the NANOG mailing list