ISP port blocking practice

Butch Evans butche at
Fri Sep 3 16:10:09 UTC 2010

On Thu, 2010-09-02 at 23:08 -0500, Jack Bates wrote: 
> He's right though. tcp/25 blocks are a hack. Easy man's way out. 

Also, this can be a little problematic to end users.  

> Honestly, it'd be nicer if edge or even core systems could easily handle 
> higher level filtering for things like this. There's plenty of systems 
> that watch traffic patterns and issue blocks based on those patterns.

I am not an ISP, but provide consulting services to ISPs.  My approach
to this problem is somewhat more dynamic than simple blocking of
outbound port 25.  Bear in mind, that I don't do much consulting for
companies that are transport for other ISPs (though I have a few of
those type clients).  My approach is  quite simple, but has been pretty
effective for those clients that are using it:

* Watch for outbound mail checking traffic (TCP/110, TCP 143, etc.) and
capture the server IPs these users are talking to

* Permit outbound SMTP coming FROM known mail servers inside the network

* Permit inbound SMTP going TO known mail servers inside the network

* Permit outbound SMTP going TO mail servers that our end users use the
CHECK their mail

* Log the IP of the end users trying to send outbound email via a server
that is NOT on the above list. 

* Deny all other outbound SMTP

This method is nearly 100% effective in eliminating spam bots that are
currently the most common type.  These spam bots originate smtp
connections direct to the MX for the list they are sending mail to.
This method is relatively problem free for the ISP once it is set up. 

* Butch Evans                   * Professional Network Consultation*
*    * Network Engineering              *
*    * Wired or Wireless Networks       *
*   * ImageStream, Mikrotik and MORE!  *

More information about the NANOG mailing list