> From [EMAIL PROTECTED] Wed Sep 3 11:58:37 2008 > From: Alec Berry <[EMAIL PROTECTED]> > Subject: Re: ingress SMTP > > Michael Thomas wrote: > > I think this all vastly underrates the agility of the bad guys. So > > lots of ISP's have blocked port 25. Has it made any appreciable > > difference? Not that I can tell. If you block port 25, they'll just > > use another port and a relay if necessary. > > I'm pretty sure it has, although without aggregate stats from various > ISPs it is hard to tell. Since mail transport is exclusively on port 25 > (as opposed to mail submission), a bot cannot just hop to another port.
One small data-point -- on a personal vanity domain, approximately 2/3 of all the spam (circa 15k junk emails/month) was 'direct to inbound MX' transmissions. The vast majority of this is coming from end-user machines outside of North America. China, India Thailand, Brazil, Poland, "CZ", and a couple of providers each in Germany and France, appear to be the most prevalent sources _I_ see. The message count would be a fair bit higher, but I have several overseas networks (4 in DE, 2 in TW, 1 in CZ) plus pieces of 2 domestic networks (*da.uu.net, *pub-ip.psi.net) blocked at the firewall. Also firewalled are a couple of dozen IP addresses that have -each- made over 10k attempts to _relay_ mail through me. I'm seeing a significant amount of 'Received' header forgery, apparently intended to fool "dumb" header parsers into believing the direct-to-MX transmission _did_ go through the server associated with the domain used in the '"from: ", "from ", and "Reply-to: " lines. The good news is that only a _really_ dumb parser would be fooled by most of what I'm seeing. :)