On Wed, 17 Mar 2004 14:09:56 -0500 Matt said something about Re: [Declude.JunkMail] Comcast Update:
> Dave Doherty wrote: > > > Hi Matt- > > > > click... click... click... > > > > So here we go again. The old broken record. > > > > If Comcast and RoadRunner blocked port 25, they would be down many > > millions of messages per day. > > > I've said this before, and I'll say it again. Blocking port 25 will not > stop zombies. > > 1) There are hundreds of thousands zombies out there that can be > used at any time, some of them servers. Blocking port 25 will only > limit the number of potential relays, but there are more than enough > to go around. I would much rather prefer to score a DUL hit on a > Comcast zombie than face a legitimate mail server that had been > compromised. > > 2) Spammers are now increasingly relaying from zombies through their > ISP's mail server in order to avoid DNSBL hits. The net result is > that legitimate servers are now getting SpamCopped all over the > place, and this spam is scoring much lower or even getting through > many filtering systems. If you block port 25, you will only compel > the rate of relaying through legitimate mail servers to increase. > In order for this to go undetected, they will also relay in smaller > numbers, making them less likely to be found out by the ISP, and > tagged by a DNSBL. > > > I truly believe that not only would blocking port 25 be limiting to > third-party mail providers like myself, and in effect trying to hit a > nail with a sledgehammer, it also has the potential of making the > problem much worse. > > These are valid points that I have brought up about three times now and > I think you should consider them just like I have considered your stance > on this issue. > > Matt Block port 25 *AND* *REQUIRE* SMTP AUTH. Zombies using their own SMTP engines won't have the AUTH credentials to successfully relay through the ISP SMTP server. Those that use the clients SMTP delivery agent to relay will allow very fast tracking of the infected machine based on AUTH entries. That's the way we're set up and the only problem is that our customers can spread viruses to other users in our domain because IMail doesn't require AUTH to deliver from one local address to another. My logs are full of "auth error" ... "- not in database" errors. Worms and zombies using their own SMTP engines trying to send outside our domain with no AUTH info. As soon as our radius geek cleans up the reports I'll be able to start tracking by IP/login time and informing those customers (after setting up some non-official sounding address to do it with because the latest Bagle outbreak ahs jaded my customers to the "standard" support addresses). Right now I have to dig in the database by hand and as the resident mail geek I have too much on my plate to be trying to generate clean SQL Queries to figure out who IP xx.xx.xx.xx at 17:23 two sundays ago. And we HAVE cut service to zombie infected users when we get reports on them. We turn them off to prompt them to call in. We tell them their account has been flagged as having sent spam and if they aren't doing it intentionally they are probably zombie infected and should have their machine checked out. When they assure us they've had that done we turn them back on -- and watch them for a few days. If it starts again we close the account permanently and explain that they need to find a local user-group or computer professional to assist them with protecting their system -- and they need to find another ISP. Yes, for third party mail providers it's going to be a pain in the rear. If there's some reason your customers absolutely must be able to send mail out through your SMTP server rather than through that of their ISP then you'll have to set up a gateway SMTP daemon for them using an unpriveledged port. I'd suggest using something other than the ever popular 2525 because worm writers are gonna catch on to that some day. A very low end machine (old pentium with a small drive) ahould be able to handle thousands of users if it's only doing accept and forward work. Yes, it's a lot of work. But we, as mail administrators, can stop most of the virus/worm proliferation if we institute policies that require TRACKABLE authentication for every smtp transaction from an end user. It has to be done at the ISP<--->USER point to allow continued free flow of SMTP traffic from ISP<--->ISP. If all legitimate ISP's were to institute such policies then the only spam/worms being proliferated would be from those who wanted to allow such activity. Pretty easy to block that using DNSBL. Gerald -- Gerald V. Livingston II Configure your Email to send TEXT ONLY -- See the following page: http://expita.com/nomime.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
