North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Port 25 filters - how many here deploy them bidirectionally?

  • From: Suresh Ramasubramanian
  • Date: Sun Jan 09 09:26:26 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=IZS/EAVJza8QfwSee0igjXCa4C2Y3KnGd2OIoXMlC8hPZs+1zDrbPUqAbU3384aVLsgLSmaZ4FjcgJiCyvLcsNn6BGtHPm4h1Mf35W8krbFG63NaX99uBz00wy+kcxXJ2yE4DmjV1g5vc7LP6xPArCCSYwjUctWumRGIFhI0yNw=

.. and if it has been tried, have you noticed any issues with this?

Please consider the situation of net abuse with the source address
being an infected PCs on a dialup pool that has port 25 filtering
enabled.

This sequence below is summarized from a post by an ISP admin on
another list that I read.

1) SYN - Worm emails / spam goes out from another provider, with the
source address spoofed to be the IP of a trojaned PC

2) ACK - Receiving network sends an ACK back to the forged source IP,
and the trojan on that IP proxies this back to the actual spam source.

3) SYNACK - sent by the actual spam source to your network.

Applying port 25 filters both ways (inbound and outbound to your
dialup pool, instead of just outbound port 25 filtering) would help in
such a situation.

So, a quick poll .. how many ISPs here have noticed this behavior, and
applied bidirectional filters?  And if they've applied port 25 filters
bidirectionally, have they noticed any problems with this setup?

This ISP's post is only the second I've seen noting such behavior in a
few months, the first being a nanog post in Aug 2004 by Hank
Nussbacher - http://www.cctec.com/maillists/nanog/current/msg03171.html

Two posts about this in several months - but still, enough of a trend
for me to wonder how widespread this behavior is.

--srs

-- 
Suresh Ramasubramanian ([email protected])