On Sat, Sep 12, 2009 at 02:42:41AM +0300, Gadi Evron wrote: > I cannot IP filter an SMTP server to be available only from certain > locations -- as if I even wanted to limit myself in such a way.
It's long since become a best practice to do exactly that: to firewall out connections from any network allocation (whether by entity or country) that recipients don't need/want to receive mail from. (Or more efficiently in some cases, to only permit connections from those allocations where mail is necessary/desirable.) These are high-efficiency, low-cost anti-email-abuse techniques that work beautifully *when properly used* -- and that, of course, is the trick. For example, on various mail servers I'm running, I'm using a combination of 3261 network allocations and 26 country allocations to refuse connections (with different ones used on different servers depending on their traffic patterns). Given that the occurence rate of non-abusive connections from those ranges from "once every several years" to "never", this is a clearly superior method of defense in terms of resources, cost, efficiency, FP, FN, resistance to attack, resistance to gaming, etc. Incidentally, *everyone* should be using the Spamhaus DROP list for IP filtering, preferably at the network perimeter. But if that's not possible, then in the firewall (onboard or elsewhere) in front of mail server(s) -- and blocking bidirectionally. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
