Breaking the internet (hotels, guestnet style)

Andrew Cox andrew at accessplus.com.au
Mon Dec 7 19:44:01 CST 2009


Suresh Ramasubramanian wrote:
> You could just firewall off port 25 and leave 587 open - to save
> yourself from a bunch of viruses and such.
> A lot of people will use webmail anyway - from a hotel.  And you avoid
> getting blacklisted
>   
The problem with doing that is that users don't understand it. All they 
know is that "it doesn't work here and it does at home".

We currently redirect to a couple of dedicated mail relays that will 
accept any email where:
a) the source address = the email address the put on their signup
and
b) is not detected as spam

Alternatively there's a throttling table and spam filter on everything 
else that comes through.

> The other option is to install a device that examines email flows and
> allows only stuff it doesnt think is spammy (netflow for email kind
> of, with all the bayesian etc secret sauce).
> Two devices come to mind
>
> * Symantec E160 (used to be called turntide, and before that, back in
> 2002-03, spam squelcher)
> * Mailchannels (www.mailchannels.com)
>
> There's probably a few more that do this and are totally transparent.
>   
We can also just force the box to accept any unsecured auth-attempts 
however the SMTPS over port 25 is still a problem.
Don't see how any system could examine that mail without causing 
certificate errors.
Allowing it to pass to the original server based on the first packet 
being detected as a secure connection may be possible thou.
> On Tue, Dec 8, 2009 at 6:54 AM, Andrew Cox <andrew at accessplus.com.au> wrote:
>   
>> I would be interested to hear what people have to say about this, as the
>> only other option I could think of would involve checking the incoming
>> connection to see if the end user was trying to authenticate to a mail
>> server before determining where to forward the connection onto (Layer 7
>> stuff, gets a bit tricky)
>>     
>
>
>
>   




More information about the NANOG mailing list