On Fri, May 10, 2002 at 11:27:10AM +1000, Terence Giufre-Sweetser wrote: > > Now there's a good idea, and it works, I have several sites running a > "port 25" trap to stop smtp abuse. > > To stop port 25 abuse at some schools, the firewall grabs all outgoing > port 25 connections from !"the mail server", and to !"the mail server", > and runs then via "the mail server", which stops header forging, mass rcpt > to: abuse, and vrfy/expn probing. Anything that goes past the filters has > a nice clear and traceable received by: line. > > If a few of the larger pre-paid isp's could simply filter port 25 on their > accounts, add some sanity checking (like, a user must be using a valid > email address in the from:/return-path:/reply-to: lines, etc) and reject > other abuse like rcpt to: stacking. Plus, add a anti-bulk email check, > like razor or checksum clearinghouse, (yeah, seriously, checksum the > outgoing emails, if some humans somewhere have said "this is spam", then > /dev/null or BOUNCE the outgoing email.) > > I'd even be inclined to place these filters at the border to smaller > downstream isp's, let them register their valid email domains, any user > from their network trying to send invalid email, or email that is listed > in razor, just kill it or auto-refer to the abuse desk. > > [This may sound expensive, but on reflection, a US$2K box with BSD could > handle 20Mbps of port 25, remember only port 25, nothing else, you would > place one behind your dial up infrastructure, or several for a large site, > and your "transparent smtp proxy" would pay for itself by killing off a > lot of your abuse@ work. There was many ways of redirecting the port 25 > packets, have a look at all the good work done on port 80 transparent > proxies.] > > // :), patent pending? No, the concept is hereby commited to the public > domain. //
Earthlink was doing this for basically all of their consumer-grade (dialup, most of the ADSL, etc) customers in 1999 (well, almost certainly earlier than that, but I can only personally speak to it being in place then). It doesn't stop absolutely everything, but it's a very good 95% first pass filter. Don't forget to allocate support queue time for explaining to folks why they can't do SMTP relaying through their other provider where they have a hosting account, though... (Business customers were exempted, but paid hefty setup fees and monthly fees, and if I recall the contract correctly, forfeited all of them for AUP violations, which explicitly included UCE). Keeping the filters up to date is often a painful excercise in assignment coordination testing, too... -- *************************************************************************** Joel Baker System Administrator - lightbearer.com [EMAIL PROTECTED] http://users.lightbearer.com/lucifer/