On Mon, Mar 05, 2012 at 11:06:26AM -0600, I wrote: > On Mon, Mar 05, 2012 at 11:21:30AM -0500, Rod Dorman wrote: > > On Monday, March 5, 2012, 09:53:31, /dev/rob0 wrote: > > > ... > > > Another WAG: maybe your ISP's upstream provider got tired of > > > complaints and implemented this redirection upstream. This would > > > explain why the ISP would not know. > > > > I would be horrified is this turned out to be the cause. > > > > Without deep packet inspection there would be no way to > > distinguish between SMTP packets originating from the ISP's > > MTA vs. his MTA. > > Sure there is: IP address. To expand on the previous example:
Oh, but I think I get Rod's point: this requires the upstream provider to know and make exception for the MTA's IP address; the aforementioned deep packet inspection being the only sure way to automate this. And yes, surely someone at the ISP should have been aware of this. > iptables -N SmtpRedirect > iptables -A SmtpRedirect -p tcp -m multiport --dports 25,587 \ > -j REDIRECT --to-ports 2525 > iptables -A FORWARD -s IPS.MTA.IP.addr -j ACCEPT > iptables -A FORWARD <something to detect abuse> -j SmtpRedirect > > Packets from that address would never enter the SmtpRedirect chain. > > That said, there seems to be cause for horror in any case. One such > case which I have not yet addressed: the OP could indeed be an > abuser. But even that case is ISP fail, because limiting it is not > the solution; cutting it off entirely would be. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
