It is standard practice in the ISP industry to block outgoing port
25 nowadays on dynamically assigned addresses.
This is not a barrier to your customers using another mailserver
(google, gmail, etc.) because all of those businesses support
Auth-SMTP on the submission port 587. In fact, nowadays most
require it.
This is only a barrier to your customers who want to operate their
own mailservers.
Since those customers should have static IP addresses, if your
network has any reasonable organization you have a subnet set aside
for static IP addresses, one for dynamics, etc. You don't block the
statics when your doing this.
If your unwilling to block your dynamics from outbound SMTP then
it is perfectly legitimate for the rest of the Internet to block
you from sending them mail. This is equivalent to somebody being
told that a home they own is being used by drug dealers to cook
methamphetamines, and the homeowner saying "I can hardly imagine to
manage the policies of all my renters, and I know they would really
don't like it", then the community getting together and firebombing
the home one night.
Ted
Alexandre Chapellon wrote:
I am an ISP with over 50000 users (wich is not that big for an isp)
permannently connected.
I can hardly imagine to manage the poilicies of all my customer, and I
know they would really don't like it.
What if your ISP told you what you got to do, where to go and to forget
about your buggy OS your using for years?
But mostly I agree, a clean network should be the basis.
Le mardi 16 février 2010 à 12:40 -0800, Ted Mittelstaedt a écrit :
I know your not going to want to hear this because your looking
for a quick fix, but nothing substitutes for good network design.
Your buggy customer network should enforce the following:
Direct SMTP transmission (port 25) is filtered so that only
machines designated as mailservers are allowed to send outbound
mail to port 25, everyone else must use the submission port 587 with
SMTP authentication to send mail to one of your mailservers, which
then relays this to the rest of the world.
I know you don't have this now. But, you should be enforcing it
on new customers and you should adjust all of your self-help
documentation so that as customers discard PC's and set new ones
up, that they start using auth-SMTP on the submission port.
It will take a few years. And for some time you will wonder why
your bothering since it will seem like your only doing all of the
extra work of maintaining auth-smtp for a minority of customer.
But the day will come that you will realize the majority of your
customers are using smtp-auth. And every day after that the
number of clients sending mail directly to port 25 will continue
to dwindle and you will become more and more interested in just
chopping the minority off and letting them scream.
Ted
Alexandre Chapellon wrote:
Hello the list,
I have a quite buggy customer network, full of zombie PCs that spends
all days sending spam and wasting the whole "reputation" of my networks.
As a result it sometimes become quite hard to delivers queues for
specific domains such as Yahoo!'s hosted ones. Indeed they have some
temp fail (blacklist) mechanism that forbid my servers to send messages
to them during hours.
Taht's why I would like to setup some ougoing filtering to avoid sending
too much spam through my mail relays. I think SA can help me in doing
so, but I know too it's not really intented to work this way. I guess SA
expects to work on MX hosts more than on smtp relays.
My prerequisites are mainly:
- STOP as much spam as possible at SMTP time (before queuing)
- Have NO (or very few) false positives cause I could not manage
telling thousands of users that they should *always_have_a_subject*,
*shouldn't_write_the_subject_in_CAPS* or anything else.
Further more I can't rely on RBL because a lot of my dyn IP address are
regularily listed on different blacklist.
Does anyone have already setup something like that and what specific
config/tools/plugin could be usefull for me.
If some one already done it.... does he/she have any statistics about
the efficiency of this setup.
Best regards.
