Breaking the internet (hotels, guestnet style)
andrew at accessplus.com.au
Mon Dec 7 19:44:01 CST 2009
Suresh Ramasubramanian wrote:
> You could just firewall off port 25 and leave 587 open - to save
> yourself from a bunch of viruses and such.
> A lot of people will use webmail anyway - from a hotel. And you avoid
> getting blacklisted
The problem with doing that is that users don't understand it. All they
know is that "it doesn't work here and it does at home".
We currently redirect to a couple of dedicated mail relays that will
accept any email where:
a) the source address = the email address the put on their signup
b) is not detected as spam
Alternatively there's a throttling table and spam filter on everything
else that comes through.
> The other option is to install a device that examines email flows and
> allows only stuff it doesnt think is spammy (netflow for email kind
> of, with all the bayesian etc secret sauce).
> Two devices come to mind
> * Symantec E160 (used to be called turntide, and before that, back in
> 2002-03, spam squelcher)
> * Mailchannels (www.mailchannels.com)
> There's probably a few more that do this and are totally transparent.
We can also just force the box to accept any unsecured auth-attempts
however the SMTPS over port 25 is still a problem.
Don't see how any system could examine that mail without causing
Allowing it to pass to the original server based on the first packet
being detected as a secure connection may be possible thou.
> On Tue, Dec 8, 2009 at 6:54 AM, Andrew Cox <andrew at accessplus.com.au> wrote:
>> I would be interested to hear what people have to say about this, as the
>> only other option I could think of would involve checking the incoming
>> connection to see if the end user was trying to authenticate to a mail
>> server before determining where to forward the connection onto (Layer 7
>> stuff, gets a bit tricky)
More information about the NANOG