[77075] in North American Network Operators' Group
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
daemon@ATHENA.MIT.EDU (Steven Champeon)
Wed Jan 12 14:08:46 2005
X-Received-From: schampeo@habanero.hesketh.net
X-Delivered-To: <nanog@merit.edu>
Date: Wed, 12 Jan 2005 14:07:06 -0500
From: Steven Champeon <schampeo@hesketh.com>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <Pine.CYG.4.58.0501121238410.3628@citabria>
Errors-To: owner-nanog-outgoing@merit.edu
on Wed, Jan 12, 2005 at 12:41:44PM -0600, Adi Linden wrote:
> > 0) for the love of God, Montresor, just block port 25 outbound already.
>
> What is wrong with dedicating port 25 to server to server communication
> with some means of authentication (DNS?) to ensure that it is indeed a
> vaild mail server.
Nothing at all. That's more or less what I proposed, though I'd prefer
to see something TODAY, like the easily implemented rDNS fix, rather
than wait any longer for SPF/DomainKeys/etc. to go through a zillion
rounds of argument. As it stands, I reject a rather large percentage of
the spam delivery attempts here using generic rDNS as a basis. (Either
in the rDNS of the connecting host itself or in the HELO; the latter is
responsible for ~75%-80% of the rejections, assumed to be almost
entirely zombie-originated).
> Mail clients should be using port 587 to submit messages to their
> local MTA.
Agreed.
--
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us! http://hesketh.com/about/careers/account_manager.html join us!
