Dear DNS Experts, This post is intended for discussion.
The ISP I work for has HUGE dynamic IP pools that are full of spammers (of course). This huge volume of spam is actually influencing the decision for some of the international providerĀ¹s whether to give us links or not let alone the bad reputation and RBLs listing etc... As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. I would appreciate any comments you may have. Sincerely, Wael _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
