Owen wrote: >On Oct 25, 2011, at 3:29 AM, <Valdis.Kletnieks at vt.edu> wrote: > >> On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said: >> >>> If they are using someone else's mail server for outbound, how, exactly do >>> you control >>> whether or not they use AUTH in the process? >> >> 1) You don't even really *care* if they do or not, because... >> >> 2) if some other site is running with an un-AUTHed open port 587, the >> miscreants will >> find it and abuse it just like any other open mail relay. The community will >> deal with it quick enough so you don't have to. And at that point, it's the >> open mail relay's IP that ends up on the block lists, not your mail relay's >> IP. >> >But that applies to port 25 also, so, I'm not understanding the difference. > >> Other people running open port 587s tends to be quite self-correcting. >> > >At this point, so do open port 25s. > >Owen
I'll try to explain with text stick-diagrams... The players are: G - good user B - botnet host I - ISP O - open relay S - mail-submission relay V - victim SMTP/mailbox host It's all about how port-25 traffic containing SPAM gets to machine "V". (Or not, which is the preferred situation.) Possible routes include: B.25 -> (I allows 25) -> O -> V (classic open relay) [SPAM] B.25 -> (I allows 25) -> V (new mode, and what William Herrin is talking about) [SPAM] B.587 -> (I !allow 25) -> V (but that makes no sense - how does B authenticate to the victim? She doesn't!!) [BLOCKED] B.587 -> (I !allow 25) -> S (ditto - not an open unauthenticated relay, only allows authenticated relaying!!!) [BLOCKED] Meanwhile, we have: G.587 -> (I !allow 25) -> S.g.587/.25 (mail submission gateway for G) -> V.25 [NOT-SPAM && NOT-BLOCKED] S.g is either G's enterprise mail server, or G's home mail server, or G's ISP themselves, or some other S to which G can authenticate. S.g receives on 587, and sends on 25, and is a generally reputable port-25 host (whatever that means). So, basically, not blocking 587 and blocking 25 removes all the avenues for direct botnet spam. Authenticating botnet sources become trackable on auth-hosts, and easy to shut down. Is there some path not listed above that could allow a spammer (botnet host) behind the ISP to send email, without having a relay host to which it can authenticate, that I'm not seeing? Brian
