On Thu, May 26, 2005 at 11:09:05AM -0700, [EMAIL PROTECTED] wrote: > Kelsey Cummings wrote: > > On Thu, May 26, 2005 at 01:23:56PM -0400, James Ebright wrote: > >>> Now, if 25 inbound was shut down... > >> > >> Why would an ISP shutdown port 25 inbound?... > > > > You must block port 25 in both directions to prevent 'triangular > > routing attacks' from working. > > What is a triangular routing attack?
Take host A, zombie B, and target C. Host A is hosted on a high speed link with a spam-friendly or clueless ISP that does not implement RPV and allows spoofed traffic to leave their network. A sources traffic usings B's IP address to C on port 25. C sends ACKs to B from port 25, B forwards ACKs to A. This allows the spammer to send spam out via fast links while only using their zombie networks to process the ACKS. Blocking traffic sent *from* port 25 into subscribers is as important as blocking outbout port 25 traffic from them. Of course, make sure your own mail servers are allowed to send their responses. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Architect 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax) http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
