On Tue, Sep 4, 2012 at 6:07 AM, Ibrahim <ibrah...@gmail.com> wrote: > I've read old archive about blocking SMTP port (TCP port 25). In my current > situation we are mobile operator and use NAT for our subscribers and we > have few spammers, a bit difficult to track it because mostly our > subscribers are prepaid services. If we block TCP port 25, there might be > "good" subscribers will not be able to send email.
Hi, There are no "good" subscribers trying to send email direct to a remote port 25 from behind a NAT. The "good" subscribers are either using your local smart host or they're using TCP port 587 on their remote mail server. You may safely block outbound TCP with a destination of port 25 from behind your NAT without harming reasonable use of your network. > We are thinking to block MX queries on our DNS server, so only spammer that > use their own SMTP server will got affected. All DNS queries from our > subscribers already redirected to our DNS cache servers. But seem Bind > don't have feature to block MX query. Any best practice to block MX query? Best practice is: don't mess with the DNS. I don't know if any resolver software supports what you want to do here. If it does, I don't know what the repercussions are likely to be. I do know that historically, altering DNS results has proven problematic. For example, returning an A record for your search server in place of no-host responses wreaks all manner of havoc. I also doubt the efficacy of the method. Were this to become common practice, a spammer could trivially evade it by using his own DNS software or simply pumping out the address list along with pre-resolved IP addresses to deliver the mail to. For all I know, they already do. Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
