On Mon, Mar 05, 2012 at 11:21:30AM -0500, Rod Dorman wrote:
> On Monday, March 5, 2012, 09:53:31, /dev/rob0 wrote:
> > ...
> > Another WAG: maybe your ISP's upstream provider got tired of
> > complaints and implemented this redirection upstream. This would
> > explain why the ISP would not know.
>
> I would be horrified is this turned out to be the cause.
>
> Without deep packet inspection there would be no way to
> distinguish between SMTP packets originating from the ISP's
> MTA vs. his MTA.
Sure there is: IP address. To expand on the previous example:
iptables -N SmtpRedirect
iptables -A SmtpRedirect -p tcp -m multiport --dports 25,587 \
-j REDIRECT --to-ports 2525
iptables -A FORWARD -s IPS.MTA.IP.addr -j ACCEPT
iptables -A FORWARD <something to detect abuse> -j SmtpRedirect
Packets from that address would never enter the SmtpRedirect chain.
That said, there seems to be cause for horror in any case. One such
case which I have not yet addressed: the OP could indeed be an
abuser. But even that case is ISP fail, because limiting it is not
the solution; cutting it off entirely would be.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
