Outgoing SMTP Servers

Jack Bates jbates at brightok.net
Mon Oct 31 18:32:00 UTC 2011

On 10/31/2011 11:48 AM, Michael Thomas wrote:
> I've often wondered the same thing as to what the resistance is to outbound
> filtering is. I can think of a few possibilities:
> 1) cost of filtering
> 2) false positives
> 3) really _not_ wanting to know about abuse

On the other hand, you have

1) cost of tracking
2) support costs handling infections

It's really an range from "easiest and cost effective" to "doing it 
right". I personally run hybrid. There are areas that are near 
impossible to track; this is especially true for wide area 
wireless/cellular/NAT areas. I always recommend my customers block 
tcp/25, even to the local smarthosts. Use 587 and authentication to 
support better tracking. It's a hack, though, as it doesn't stop other 
abuses and it won't fix the underlying root cause.

In locations that support ease of tracking, using a mixture of feedback 
loops with proper support is usually the proper way. This allows 
notification and fixing of the root cause. In our case, we recommend 
quick suspensions to demonstrate to customer how seriously we take the 
problem, and then we point out that the sending of spam/scanning is only 
the easier to detect symptoms. It is unlikely we'll notice if they have 
a keylogger as well.

Finally, when architecture allows it, dynamic profiles with ACL support 
allowing a default of tcp/25 blocked, and easy to find and click removal 
of an account from tcp/25 blocking, combined with ACL monitoring, 
flagging, and notification by support staff is probably the ultimate in 
ideal scenarios. Combined with a % of traffic mirrored into a tunnel to 
an IDS which monitors for things such as network scanning or known 
signatures outbound, it makes for a very effective mechanism to assist 
customers in protecting themselves.

I'm personally curious how much traffic is necessary to mirror to 
properly detect problems. ie, can you get away with 1% or less (GE for 
each 100GE-200GE of traffic) or if you must cover as much as 10%+. My 
traffic load is small enough that it doesn't matter, but it's always 
nice to know how well something might scale.


More information about the NANOG mailing list