Blocking MX query

William Herrin bill at herrin.us
Tue Sep 4 14:07:11 CDT 2012


On Tue, Sep 4, 2012 at 11:57 AM, Jay Ashworth <jra at baylink.com> wrote:
>> What sort of an mta do you run on your laptop that doesnt support smtp
>> auth?
>
> SMTP Auth to *arbitrary remote domains' MX servers*?  Am I missing something,
> or are you?

You are. You should be doing SMTP Auth to *your* email server on which
you have an authorized account and then letting it relay your messages
to the world.


>> Okay, fair enough. There are no good users *expecting* to send email
>> direct to a remote port 25 from behind a NAT. There are some good
>> users who occasionally run slightly sloppy configurations which might
>> attempt spurious port 25 connections.
>
> I do, in fact, expect that.  You're alleging that's a bad practice.

Yes, I am. Here's a few others.


http://security.comcast.net/get-help/spam.aspx

"Port 25 Blocking

    Port 25 is conduit on a computer that spammers can take control of
and use to send their spam - often without the user ever knowing
his/her computer has been "hijacked". Comcast works with our customers
to block access to Port 25 and protect their PC.
    Comcast recommends that our customers establish a more secure
email configuration on their PC - Port 587 - We have made it easy by
creating a one-click fix that automatically configures your computers
to this safer PC configuration."


http://qwest.centurylink.com/internethelp/email-troubleshooting-port25.html

"CenturyLink filters port 25 to reduce the spread of email viruses and
spam (unsolicited email). Filtering port 25 has become the industry
standard to reduce the spread of email viruses and spam. These email
viruses allow malicious software to control infected computers. These
viruses direct the infected machines to send email viruses and spam
through port 25. "


http://cbl.abuseat.org/nat.html

"The simplest and most effective way to stop this is to configure your
NAT to prohibit connections to the Internet on port 25 except from
real mail servers. Not only does this stop all of these viruses and
spams dead in their tracks, the NAT logs will immediately tell you the
LAN address of the infected machine. "


http://tools.ietf.org/html/rfc5068

"A proactive technique used by some providers is to block all use of
   port 25 SMTP for mail that is being sent outbound, or to
   automatically redirect this traffic through a local SMTP proxy,
   except for hosts that are explicitly authorized."


http://www.microsoft.com/security/sir/strategy/default.aspx#!section_2_4

"Block access to port 25 from all hosts on your network other than
those you explicitly authorize to perform SMTP relay functions."



Regards,
Bill Herrin

-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the NANOG mailing list