North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ingress SMTP

  • From: Robert Bonomi
  • Date: Wed Sep 03 17:41:39 2008

> From [email protected]  Wed Sep  3 11:58:37 2008
> From: Alec Berry <[email protected]>
> Subject: Re: ingress SMTP
>
> Michael Thomas wrote:
> > I think this all vastly underrates the agility of the bad guys. So
> > lots of ISP's have blocked port 25. Has it made any appreciable
> > difference? Not that I can tell. If you block port 25, they'll just
> > use another port and a relay if necessary.
>
> I'm pretty sure it has, although without aggregate stats from various
> ISPs it is hard to tell. Since mail transport is exclusively on port 25
> (as opposed to mail submission), a bot cannot just hop to another port.


One small data-point -- on a personal vanity domain, approximately 2/3 of 
all the spam (circa 15k junk emails/month) was 'direct to inbound MX' 
transmissions.  The vast majority of this is coming from end-user machines 
outside of North America.  China, India Thailand, Brazil, Poland, "CZ", and 
a couple of providers each in Germany and France, appear to be the most 
prevalent sources _I_ see.

The message count would be a fair bit higher, but I have several overseas
networks  (4 in DE, 2 in TW, 1 in CZ) plus pieces of 2 domestic networks
(*da.uu.net, *pub-ip.psi.net) blocked at the firewall.  Also firewalled are
a  couple of dozen IP addresses that have -each- made over 10k attempts
to _relay_ mail through me.


I'm seeing a significant amount of 'Received' header forgery, apparently
intended to fool "dumb" header parsers into believing the direct-to-MX
transmission _did_ go through the server associated with the domain used
in the '"from: ", "from ", and "Reply-to: " lines.  The good news is that
only a _really_ dumb parser would be fooled by most of what I'm seeing. :)