Re: Setting the source port for outgoing email

Wed, 06 Aug 2008 16:58:22 -0700 

Aaron Wolfe wrote:
Blocking outbound SMTP traffic from sources other than your mail server will prevent you from being blacklisted, plain and simple, unless of course you are sending spam from your mail server. 

It's not that simple.


Blocking outbound SMTP traffic keeps you off 99% of blacklists, that 
blacklist you based on mail received. We have had no problem to date in 
achieving this, because we block outgoing smtp as you described.



The last 1% of the blacklists are more wide in their detection of 
network abuse, and will blacklist an IP based on portscanning or DoS, 
and various other unsavory things typically committed by trojans that 
are inserted by ignorant users, and that represent a constant battle to 
keep off the network.



The vast majority of the net chooses blacklists carefully, choosing from 
the 99% of blacklists that block based on mail. A small subset of ISPs 
however choose to throw caution to the wind and include that 1% of 
aggressive blacklists to their mail filtering configurations, causing 
mail to consistently bounce when sent to certain key email addresses.



This causes end users to ask why is it that mail works for everybody 
else, but doesn't want to work when they try email that particular 
client at that particular ISP.



(By way of an example we found recently, one particular ISP had decided 
to reduce the maximum email size when the sender IP was blocked by at 
least one of a list of 125 blacklists. The IP was on 1 out of the 125 
lists, and so all mails larger than 1MB were bounced. No I don't 
understand for a second the twisted logic that led this ISP to create 
this configuration, but the client insisted on staying with that ISP, 
and we had to work around the problem or not communicate with that client).



I don't know exactly what you are talking about with the port scans, but 
if you are scanning other people's networks without their permisson, do 
expect to be blocked.  If you are allowing your users to do the same, 
expect to be blocked.  Why you you not simply block this before it 
leaves your network, like (almost) everyone else does? 



Because it makes no difference - if an end user can access an outgoing 
port, then that end user's machine can portscan across IPs on that port, 
or simply DDoS to a specific accessible port on an accessible IP.



As long as a user can see the net, a trojan can see the net too. It is 
that simple.


Regards,
Graham
--



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to