North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Customer-facing ACLs

  • From: Frank Bulk
  • Date: Fri Mar 07 17:21:33 2008

Same concerns here.  Glad to know we're not alone.

I think a transition to blocking outbound SMTP (except for one's own e-mail
servers) would benefit from an education campaign, but perhaps the pain
level is small enough that it can implemented without.  One could start
doing a subnet block a day to keep the helpdesk people sane, and then apply
a global block at the edge once "done" to catch any subnets that one might
have missed.

Frank

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Kameron Gasso
Sent: Friday, March 07, 2008 2:44 PM
To: Justin M. Streiner
Cc: NANOG
Subject: Re: Customer-facing ACLs


Justin M. Streiner wrote:
> I do recall weighing the merits of extending that to drop outbound SMTP
> to exerything except our mail farm, but it wasn't deployed because there
> was a geat deal a fear of customer backlash and that it would drive more
> calls into the call center.

This seems to be very common practice these days for larger ISPs/dialup
aggregators using the appropriate RADIUS attributes on supported access
servers.

We generally restrict outbound SMTP on our dial-up users so they may
only reach our hosts (or the mail hosts of our wholesale customers).
Our DSL subscribers, both dynamic and static, are currently unfiltered
-- but we're very quick to react to abuse incidents and apply filters
when necessary until the user cleans up their network.

I'm currently on the fence with regards to filtering SMTP for all of our
dynamic DSL folks.  It'd be nice to prevent abuse before it happens, but
it's a matter of finding the time to integrate the filtering into our
wholesale backend and making sure there aren't any unforeseen issues.

-- Kameron