[100288] in North American Network Operators' Group
Re: Misguided SPAM Filtering techniques
daemon@ATHENA.MIT.EDU (Nathan Ward)
Sun Oct 21 02:51:30 2007
In-Reply-To: <20071021062233.GE12664@skywalker.creative.net.au>
From: Nathan Ward <nanog@daork.net>
Date: Sun, 21 Oct 2007 19:36:20 +1300
To: nanog list <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
On 21/10/2007, at 7:22 PM, Adrian Chadd wrote:
> On Sun, Oct 21, 2007, Nathan Ward wrote:
>> Blocking 25/TCP is acceptable, blocking 587/TCP is not - it is
>> designed for mail submission to an MSA, so serves little use for
>> spam, save when a spammer has detected an open mail relay listening
>> on 587/TCP, or someone has (mis)configured port 587 to allow
>> submission to locally hosted domains from remote hosts without
>> authentication. I'd be /very/ surprised if the networks in question
>> received sufficient complaints from (clueless) mail admins, who were
>> being spammed via one of these techniques.
>
> Or peoples' machines are now being infected by malware which
> checks for login credentials or uses the existing mail client
> via various inter-process communication techniques; re-using said
> login credentials to talk to authenticated SMTP servers.
If you force people to use your MSAs, the malware will get those
details, too.
With that in mind, the only semi-reasonable solution I can see is
limiting the number of new connections/min heading out to these
ports. If your hardware can DNAT and/or filter based on L4 info
(port), then it can probably limit the number of packets to a certain
port with the SYN flag set.
--
Nathan Ward
