[120007] in North American Network Operators' Group
Re: Breaking the internet (hotels, guestnet style)
daemon@ATHENA.MIT.EDU (Andrew Cox)
Mon Dec 7 20:45:00 2009
Date: Tue, 08 Dec 2009 12:14:01 +1030
From: Andrew Cox <andrew@accessplus.com.au>
To: Suresh Ramasubramanian <ops.lists@gmail.com>
In-Reply-To: <bb0e440a0912071735l7b0bfa9et5c8fd6ce95545f50@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Suresh Ramasubramanian wrote:
> You could just firewall off port 25 and leave 587 open - to save
> yourself from a bunch of viruses and such.
> A lot of people will use webmail anyway - from a hotel. And you avoid
> getting blacklisted
>
The problem with doing that is that users don't understand it. All they
know is that "it doesn't work here and it does at home".
We currently redirect to a couple of dedicated mail relays that will
accept any email where:
a) the source address = the email address the put on their signup
and
b) is not detected as spam
Alternatively there's a throttling table and spam filter on everything
else that comes through.
> The other option is to install a device that examines email flows and
> allows only stuff it doesnt think is spammy (netflow for email kind
> of, with all the bayesian etc secret sauce).
> Two devices come to mind
>
> * Symantec E160 (used to be called turntide, and before that, back in
> 2002-03, spam squelcher)
> * Mailchannels (www.mailchannels.com)
>
> There's probably a few more that do this and are totally transparent.
>
We can also just force the box to accept any unsecured auth-attempts
however the SMTPS over port 25 is still a problem.
Don't see how any system could examine that mail without causing
certificate errors.
Allowing it to pass to the original server based on the first packet
being detected as a secure connection may be possible thou.
> On Tue, Dec 8, 2009 at 6:54 AM, Andrew Cox <andrew@accessplus.com.au> wrote:
>
>> I would be interested to hear what people have to say about this, as the
>> only other option I could think of would involve checking the incoming
>> connection to see if the end user was trying to authenticate to a mail
>> server before determining where to forward the connection onto (Layer 7
>> stuff, gets a bit tricky)
>>
>
>
>
>
