On Wed, Aug 6, 2008 at 7:57 PM, Graham Leggett <[EMAIL PROTECTED]> wrote:
> Aaron Wolfe wrote: > > Blocking outbound SMTP traffic from sources other than your mail server >> will prevent you from being blacklisted, plain and simple, unless of course >> you are sending spam from your mail server. >> > > It's not that simple. > > Blocking outbound SMTP traffic keeps you off 99% of blacklists, that > blacklist you based on mail received. We have had no problem to date in > achieving this, because we block outgoing smtp as you described. > > The last 1% of the blacklists are more wide in their detection of network > abuse, and will blacklist an IP based on portscanning or DoS, and various > other unsavory things typically committed by trojans that are inserted by > ignorant users, and that represent a constant battle to keep off the > network. > > The vast majority of the net chooses blacklists carefully, choosing from > the 99% of blacklists that block based on mail. A small subset of ISPs > however choose to throw caution to the wind and include that 1% of > aggressive blacklists to their mail filtering configurations, causing mail > to consistently bounce when sent to certain key email addresses. > > This causes end users to ask why is it that mail works for everybody else, > but doesn't want to work when they try email that particular client at that > particular ISP. > > (By way of an example we found recently, one particular ISP had decided to > reduce the maximum email size when the sender IP was blocked by at least one > of a list of 125 blacklists. The IP was on 1 out of the 125 lists, and so > all mails larger than 1MB were bounced. No I don't understand for a second > the twisted logic that led this ISP to create this configuration, but the > client insisted on staying with that ISP, and we had to work around the > problem or not communicate with that client). > > I don't know exactly what you are talking about with the port scans, but >> if you are scanning other people's networks without their permisson, do >> expect to be blocked. If you are allowing your users to do the same, expect >> to be blocked. Why you you not simply block this before it leaves your >> network, like (almost) everyone else does? >> > > Because it makes no difference - if an end user can access an outgoing > port, then that end user's machine can portscan across IPs on that port, or > simply DDoS to a specific accessible port on an accessible IP. > Why can your end users "access an outgoing port"? You are not addressing this problem at it's source. Police your outbound traffic. If its from an end user and it isn't bound for port 80 or 443, why are you allowing the traffic to leave your network? There will be a few necessary exceptions, but generally that's a good starting place. At first I was thinking, wtf, I've never heard of these blacklists you mention. But perhaps thats because no network I administer has ever been listed on them? This discussion is not relevant here on the postfix list. If you are interested in securing your network and controlling the traffic coming out of it, there are better forums or feel free to contact me directly. > As long as a user can see the net, a trojan can see the net too. It is that > simple. > > Regards, > Graham > -- >
