[145900] in North American Network Operators' Group
Re: Outgoing SMTP Servers
daemon@ATHENA.MIT.EDU (Blake Hudson)
Tue Oct 25 22:36:19 2011
Date: Tue, 25 Oct 2011 21:35:20 -0500
From: Blake Hudson <blake@ispn.net>
To: nanog@nanog.org
In-Reply-To: <4EA76F82.9040508@namor.ca>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
J wrote the following on 10/25/2011 9:25 PM:
> Blake Hudson wrote:
>> If
>> 587 becomes popular, spammers will move on and the same ISPs that
>> blocked 25 will follow suit.
> I don't see this happening as easily. Authenticated means an easier
> shutdown of an account, rather than some form of port block/etc.
An infected machine can just as easily send out mail on port 587 as it
can using port 25. It's not hard for bot net hearders to come up with a
list of valid credentials stolen from email clients, via key loggers, or
simply guessed through probability. I see it every day.
I will shutdown a compromised account on my end, but that doesn't stop
ATT's infected subscriber from spamming 100 other servers using 100
other stolen credentials. I may also send an abuse report to ATT if they
have an infected machine trying to perform a dictionary attack or brute
force logins against my port 587 SMTP server. ATT's going to deal with
the abuse reports as cheaply as possible. If they receive enough, I have
no doubt they'll repeat past mistakes.
