North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Misguided SPAM Filtering techniques

  • From: Nathan Ward
  • Date: Sun Oct 21 02:58:55 2007

On 21/10/2007, at 7:22 PM, Adrian Chadd wrote:
On Sun, Oct 21, 2007, Nathan Ward wrote:
Blocking 25/TCP is acceptable, blocking 587/TCP is not - it is
designed for mail submission to an MSA, so serves little use for
spam, save when a spammer has detected an open mail relay listening
on 587/TCP, or someone has (mis)configured port 587 to allow
submission to locally hosted domains from remote hosts without
authentication. I'd be /very/ surprised if the networks in question
received sufficient complaints from (clueless) mail admins, who were
being spammed via one of these techniques.

Or peoples' machines are now being infected by malware which checks for login credentials or uses the existing mail client via various inter-process communication techniques; re-using said login credentials to talk to authenticated SMTP servers.

If you force people to use your MSAs, the malware will get those details, too.

With that in mind, the only semi-reasonable solution I can see is limiting the number of new connections/min heading out to these ports. If your hardware can DNAT and/or filter based on L4 info (port), then it can probably limit the number of packets to a certain port with the SYN flag set.

Nathan Ward