> > Yeah, I threw it in as an afterthought. ISP firewalls do exist and not > just small isolated incidents. I wish more money had gone into making > them much more adaptive, then you could enjoy your tcp/25 and possibly > not have a problem unless your traffic patterns drew concerns and > caused > an adaptive filter to block it (eh? thousands of emails suddenly to a > variety of servers? block). Interestingly, adaptive filters are often > used for probing scans (and we didn't apply them to tcp/25, why?) > > > Jack
Maybe because it is just easier to do a transparent redirect to the ISPs mail server and look for patterns there. Some customer drops a bazillion email messages from a bazillion From: addresses in 14.7 seconds ... chances are you have a spam candidate. If the spam filter flags a lot (all?) of the messages as possible spam, queue them to the quarantine until someone can have a look and if they are, dismiss the customer and send them up the road OR inform them that they are possibly bot-net infected and block access to port 25 from them until they get it cleaned up.