Dear Wael, In what way is blocking Port 25 any worse than blocking MX/root queries for clients? Both solutions neglect the fact, that spam is not a technical problem. Some ISPs think it is a good idea to forward you to a search web page, when you mispell some URL, this is done via DNS. Obviously, if the customer dislikes this, the customer will (and can) use his/her own recursor, stupidity of ISP solved - if the ISP would prevent the customer from doing this, the customer might not be a customer any longer.
Just my 2 cents. -Sven On Sun, January 31, 2010 14:25, Wael Shaheen wrote: > Dear DNS Experts, > > This post is intended for discussion. > > The ISP I work for has HUGE dynamic IP pools that are full of spammers (of > course). This huge volume of spam is actually influencing the decision for > some of the international providerĀ¹s whether to give us links or not let > alone the bad reputation and RBLs listing etc... > As a solution the routing team was thinking to block port 25 for outgoing > as > some ISPs do. However, I do not see this to be a valid solution for many > reasons such as clients that have email servers outside, or if decided to > be > redirected to spam filters then that will just cost the company too much. > > Luckily we have two set of DNS server farms; one that is serving static IP > users and one that is dedicated only for dynamic IP users. The idea I have > proposed is to deny these dynamic users from performing MX queries. > > So instead of blocking port 25 we can redirect the DNS port to the DNS > farm > that is dedicated for dynamic users, that will guarantee that no standard > DNS port forwarded queries are going to external servers. Then we will > block > the MX and root queries for those dynamic clients. > That will prevent them from using a locally installed DNS service on their > machines or query MX records for targets they want to send spam to. > > Of course there will still be some challenges like if some spammers know > the > A record of the mail server they want to connect to or if they used the IP > address of the targeted mail server also if they used open dns that works > on > non-standard ports, but then again I believe these users will stand out > and > will be identified more easily. > > I would appreciate any comments you may have. > > Sincerely, > Wael > > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
