quietly....

George Bonser gbonser at seven.com
Fri Feb 4 21:25:51 CST 2011


> 
> Yeah, I threw it in as an afterthought. ISP firewalls do exist and not
> just small isolated incidents. I wish more money had gone into making
> them much more adaptive, then you could enjoy your tcp/25 and possibly
> not have a problem unless your traffic patterns drew concerns and
> caused
> an adaptive filter to block it (eh? thousands of emails suddenly to a
> variety of servers? block). Interestingly, adaptive filters are often
> used for probing scans (and we didn't apply them to tcp/25, why?)
> 
> 
> Jack

Maybe because it is just easier to do a transparent redirect to the ISPs
mail server and look for patterns there.  Some customer drops a
bazillion email messages from a bazillion From: addresses in 14.7
seconds ... chances are you have a spam candidate.  If the spam filter
flags a lot (all?) of the messages as possible spam, queue them to the
quarantine until someone can have a look and if they are, dismiss the
customer and send them up the road OR inform them that they are possibly
bot-net infected and block access to port 25 from them until they get it
cleaned up.






More information about the NANOG mailing list