North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Misguided SPAM Filtering techniques
On 21/10/2007, at 7:22 PM, Adrian Chadd wrote:
On Sun, Oct 21, 2007, Nathan Ward wrote:Blocking 25/TCP is acceptable, blocking 587/TCP is not - it is designed for mail submission to an MSA, so serves little use for spam, save when a spammer has detected an open mail relay listening on 587/TCP, or someone has (mis)configured port 587 to allow submission to locally hosted domains from remote hosts without authentication. I'd be /very/ surprised if the networks in question received sufficient complaints from (clueless) mail admins, who were being spammed via one of these techniques.
If you force people to use your MSAs, the malware will get those details, too.
With that in mind, the only semi-reasonable solution I can see is limiting the number of new connections/min heading out to these ports. If your hardware can DNAT and/or filter based on L4 info (port), then it can probably limit the number of packets to a certain port with the SYN flag set.
-- Nathan Ward