At 05:25 31-01-10, Wael Shaheen wrote:
As a solution the routing team was thinking to block port 25 for outgoing as
some ISPs do. However, I do not see this to be a valid solution for many
reasons such as clients that have email servers outside, or if decided to be
redirected to spam filters then that will just cost the company too much.

Mail submission is done over port 587 and not port 25.

Luckily we have two set of DNS server farms; one that is serving static IP
users and one that is dedicated only for dynamic IP users. The idea I have
proposed is to deny these dynamic users from performing MX queries.

So instead of blocking port 25 we can redirect the DNS port to the DNS farm
that is dedicated for dynamic users, that will guarantee that no standard
DNS port forwarded queries are going to external servers. Then we will block
the MX and root queries for those dynamic clients.
That will prevent them from using a locally installed DNS service on their
machines or query MX records for targets they want to send spam to.

That can be bypassed as you explained below.

Of course there will still be some challenges like if some spammers know the
A record of the mail server they want to connect to or if they used the IP
address of the targeted mail server also if they used open dns that works on
non-standard ports, but then again I believe these users will stand out and
will be identified more easily.

The idea is another variation of the walled garden. You could look into doing traffic flow analysis and using feedback reports to identify the source of the abuse.

Regards,
-sm
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to