Re: blocking spam with cisco routers [7:48971]
You'll need a mail relay program like Worldsecure(now Tumbleweed) that searches the content of the message before relaying it to the internal e-mail server. As others have stated, other e-mail servers will open smtp connections to your mail server in order to send mail. Most spammers change IP addresses constantly to avoid being blocked by devices such as routers. - Original Message - From: "Nigel Taylor" To: Sent: Wednesday, July 17, 2002 10:22 AM Subject: Re: blocking spam with cisco routers [7:48971] > George, > Priscilla brings up a good point in that this will not be easy. > The most important issue here > is as Priscilla pointed out, is going to revolve around the architecture of > your networks or the network > you use for connectivity(to the rest of the world). Some other questions > that may apply are very specific > to your email services. If you have your own domain and don't relay any > mail for specific purposes, then > this will help, however mail directly address to your domain's users will be > delivered. The problem here > is how do you determine who is allowed to send you email. This is somewhat > of an impossible task because > there's no real way of identifying your SMTP-specific "Community of > Interest" (COI). > > The reason being that smtp(tcp) connections are made from any > server-to-server(your server) for the > delivery of mail. I'm sure your smtp requirements are much like the typical > domain, in which filtering inbound mail > falls outside the area of the routed network. It's one thing to filter a > specific hosts or number of host to > prevent the spread of a new "virus". This would still only be accomplished > through monitoring of existing smtp > traffic flows, in which you could address the issue by resolving the source > of the infected mail traffic. > Again, the traffic is only identified based on a "criteria" which can now be > tracked or filtered. > > Where I'm going with this is that the only effective way of containing > "spam" is by identifying who is sending it and > most importantly what "subject lines" are being used in the SPAM email > received. This is important because you might > not want to block or filter all mail inbound from "hotmail.com" so finding > another way to identify the "spam" is very > important. I'm not sure of the flexibility of Micro$oft's exchange to > filter mail based on "subject lines" but, I know > that sendmail(the best mail server) through the use of the "cf" file can > aide in this process. There is assistance in the > form of various programs that does do this type of filtering, however the > need to providing the "rules" for the filter still > falls within the area of monitoring and prevention > > Currently, we use Solaris on all of our mail servers(16 of them). We do > relay mail for all or most of our users and > with some scripting and MySql was able compile a database of the domains and > subject lines of typical spam specific > emails. All inbound email is processed through this script which will tag > the "spam" email and forwards it into a separate > mail server queue for profiling(to check the validity), before being > forwarded to the user. We have just begun to use a program > called "SPAM Assassin" which uses our daily updated list of spammers and > subject lines. > > HTH > > Nigel > > P.S. Please note the use of "Howard-isms" in this email..:-> > > > > - Original Message - > From: "Priscilla Oppenheimer" > To: > Sent: Tuesday, July 16, 2002 10:50 PM > Subject: Re: blocking spam with cisco routers [7:48971] > > > > Brad Ellis wrote: > > > > > > Yup, use an access list filtering IPs on port 25 (only allow > > > yours through) > > > > Yes, but, other SMTP servers for legitimate reasons are also going to be > > opening TCP sessions to port 25 because they have e-mail to send to your > > users. It's not as easy as it sounds. > > > > I guess it depends on the ISP's network architecture too. We have a > > challenge where I work in that our users are on cable modems that connect > to > > the cable provider (which isn't technically us). Their e-mail requests > come > > into our network on the same interface that all Internet traffic comes in > on. > > > > Priscilla > > > > > > > > > > thanks, > > > -Brad Ellis > > > CCIE#5796 (R&S / Security) > > > [EMAIL PROTECTED] > > > Cisco home labs: www
Re: blocking spam with cisco routers [7:48971]
I wouldn't even think of using a router for this purpose unless you are only using smtp mail between your own sites and don't want outside email f/ anywhere. We run spamassasin (www.spamassasin.org) on our mail server and it cuts out 80-90% of our SPAM. Kevin Hunt CCNP, MCSE, MCT, Linux+ SME - Original Message - From: "Marty Adkins" To: Sent: Wednesday, July 17, 2002 8:01 AM Subject: Re: blocking spam with cisco routers [7:48971] > GEORGE wrote: > > > > Hi all I have a question ,I configured my e-mail server to only accept > > local e-mail, and deny other relay , however im still vulnerable to > > spam. My question is how do the ips block other e-mail going to their > > smtp > > Do they do it by access-list? Allowing only the local network with port > > 25? > > Or just the e-mail server? > > If cisco routers have to be involved does anyone have some links. Im > > behind a pix and would like to allow only my network to use smtp. > > Network layer filtering can't really do much to prevent relaying; it > has to be done in the SMTP application. The techniques that I'm > familiar with include: > 1) Disallow mail sent to non-local (different domain) addresses unless >the SMTP source is within the local domain, as resolved in a reverse DNS. >This is simple but prevents one from sourcing mail while traveling, >using a different ISP, at work, etc. > 2) Same as #1 but require U/P authentication for outgoing mail. > 3) Same as #1 but indirectly authenticate by correlating an outgoing >mail connection with a "recent" successful POP3 fetch, which naturally >requires a U/P. My DSL ISP, Speakeasy, does this and it works quite >well. If you attempt outbound mail without having done a POP fetch >in the last several minutes, an error message tells you that you must >do that first. > > And BTW, none of these reduce spam, only the relaying of it! > > Marty Adkins Email: [EMAIL PROTECTED] > Chesapeake NetCraftsmen, LLC o:410.757.3050, > p:[EMAIL PROTECTED] > 1290 Bay Dale Drive, Suite 312 http://www.netcraftsmen.NET > Arnold, MD 21012-2325 Cisco CCIE #1289 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49040&t=48971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: blocking spam with cisco routers [7:48971]
George, Priscilla brings up a good point in that this will not be easy. The most important issue here is as Priscilla pointed out, is going to revolve around the architecture of your networks or the network you use for connectivity(to the rest of the world). Some other questions that may apply are very specific to your email services. If you have your own domain and don't relay any mail for specific purposes, then this will help, however mail directly address to your domain's users will be delivered. The problem here is how do you determine who is allowed to send you email. This is somewhat of an impossible task because there's no real way of identifying your SMTP-specific "Community of Interest" (COI). The reason being that smtp(tcp) connections are made from any server-to-server(your server) for the delivery of mail. I'm sure your smtp requirements are much like the typical domain, in which filtering inbound mail falls outside the area of the routed network. It's one thing to filter a specific hosts or number of host to prevent the spread of a new "virus". This would still only be accomplished through monitoring of existing smtp traffic flows, in which you could address the issue by resolving the source of the infected mail traffic. Again, the traffic is only identified based on a "criteria" which can now be tracked or filtered. Where I'm going with this is that the only effective way of containing "spam" is by identifying who is sending it and most importantly what "subject lines" are being used in the SPAM email received. This is important because you might not want to block or filter all mail inbound from "hotmail.com" so finding another way to identify the "spam" is very important. I'm not sure of the flexibility of Micro$oft's exchange to filter mail based on "subject lines" but, I know that sendmail(the best mail server) through the use of the "cf" file can aide in this process. There is assistance in the form of various programs that does do this type of filtering, however the need to providing the "rules" for the filter still falls within the area of monitoring and prevention Currently, we use Solaris on all of our mail servers(16 of them). We do relay mail for all or most of our users and with some scripting and MySql was able compile a database of the domains and subject lines of typical spam specific emails. All inbound email is processed through this script which will tag the "spam" email and forwards it into a separate mail server queue for profiling(to check the validity), before being forwarded to the user. We have just begun to use a program called "SPAM Assassin" which uses our daily updated list of spammers and subject lines. HTH Nigel P.S. Please note the use of "Howard-isms" in this email..:-> - Original Message - From: "Priscilla Oppenheimer" To: Sent: Tuesday, July 16, 2002 10:50 PM Subject: Re: blocking spam with cisco routers [7:48971] > Brad Ellis wrote: > > > > Yup, use an access list filtering IPs on port 25 (only allow > > yours through) > > Yes, but, other SMTP servers for legitimate reasons are also going to be > opening TCP sessions to port 25 because they have e-mail to send to your > users. It's not as easy as it sounds. > > I guess it depends on the ISP's network architecture too. We have a > challenge where I work in that our users are on cable modems that connect to > the cable provider (which isn't technically us). Their e-mail requests come > into our network on the same interface that all Internet traffic comes in on. > > Priscilla > > > > > > thanks, > > -Brad Ellis > > CCIE#5796 (R&S / Security) > > [EMAIL PROTECTED] > > Cisco home labs: www.optsys.net > > ""GEORGE"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi all I have a question ,I configured my e-mail server to > > only accept > > > local e-mail, and deny other relay , however im still > > vulnerable to > > > spam. My question is how do the ips block other e-mail going > > to their > > > smtp > > > Do they do it by access-list? Allowing only the local network > > with port > > > 25? > > > Or just the e-mail server? > > > If cisco routers have to be involved does anyone have some > > links. Im > > > behind a pix and would like to allow only my network to use > > smtp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48994&t=48971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: blocking spam with cisco routers [7:48971]
GEORGE wrote: > > Hi all I have a question ,I configured my e-mail server to only accept > local e-mail, and deny other relay , however im still vulnerable to > spam. My question is how do the ips block other e-mail going to their > smtp > Do they do it by access-list? Allowing only the local network with port > 25? > Or just the e-mail server? > If cisco routers have to be involved does anyone have some links. Im > behind a pix and would like to allow only my network to use smtp. Network layer filtering can't really do much to prevent relaying; it has to be done in the SMTP application. The techniques that I'm familiar with include: 1) Disallow mail sent to non-local (different domain) addresses unless the SMTP source is within the local domain, as resolved in a reverse DNS. This is simple but prevents one from sourcing mail while traveling, using a different ISP, at work, etc. 2) Same as #1 but require U/P authentication for outgoing mail. 3) Same as #1 but indirectly authenticate by correlating an outgoing mail connection with a "recent" successful POP3 fetch, which naturally requires a U/P. My DSL ISP, Speakeasy, does this and it works quite well. If you attempt outbound mail without having done a POP fetch in the last several minutes, an error message tells you that you must do that first. And BTW, none of these reduce spam, only the relaying of it! Marty Adkins Email: [EMAIL PROTECTED] Chesapeake NetCraftsmen, LLC o:410.757.3050, p:[EMAIL PROTECTED] 1290 Bay Dale Drive, Suite 312 http://www.netcraftsmen.NET Arnold, MD 21012-2325 Cisco CCIE #1289 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49018&t=48971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: blocking spam with cisco routers [7:48971]
Brad Ellis wrote: > > Yup, use an access list filtering IPs on port 25 (only allow > yours through) Yes, but, other SMTP servers for legitimate reasons are also going to be opening TCP sessions to port 25 because they have e-mail to send to your users. It's not as easy as it sounds. I guess it depends on the ISP's network architecture too. We have a challenge where I work in that our users are on cable modems that connect to the cable provider (which isn't technically us). Their e-mail requests come into our network on the same interface that all Internet traffic comes in on. Priscilla > > thanks, > -Brad Ellis > CCIE#5796 (R&S / Security) > [EMAIL PROTECTED] > Cisco home labs: www.optsys.net > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi all I have a question ,I configured my e-mail server to > only accept > > local e-mail, and deny other relay , however im still > vulnerable to > > spam. My question is how do the ips block other e-mail going > to their > > smtp > > Do they do it by access-list? Allowing only the local network > with port > > 25? > > Or just the e-mail server? > > If cisco routers have to be involved does anyone have some > links. Im > > behind a pix and would like to allow only my network to use > smtp. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48989&t=48971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: blocking spam with cisco routers [7:48971]
Yup, use an access list filtering IPs on port 25 (only allow yours through) thanks, -Brad Ellis CCIE#5796 (R&S / Security) [EMAIL PROTECTED] Cisco home labs: www.optsys.net ""GEORGE"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all I have a question ,I configured my e-mail server to only accept > local e-mail, and deny other relay , however im still vulnerable to > spam. My question is how do the ips block other e-mail going to their > smtp > Do they do it by access-list? Allowing only the local network with port > 25? > Or just the e-mail server? > If cisco routers have to be involved does anyone have some links. Im > behind a pix and would like to allow only my network to use smtp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48973&t=48971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]