ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] What are the IPs that sends mail for a domain?

2009-06-22 08:01:46
from [Ian Eiloart] [Permanent Link] 


--On 21 June 2009 09:33:27 +1200 Franck Martin <franck(_at_)avonsys(_dot_)com> 
wrote:



yes I'm not sure that blocking port 25 will ever be possible. I think
less and less people want their mailbox tied up to an ISP, this is why
they get a mailbox on yahoo, google, etc... So these services requires
you usuallyusualy to connect via port 25 and authenticate, but that means 
for

the ISP to let port 25 open.


No, they don't. Both allow you to use port 587, as do AOL and Hotmail

telnet smtp.mail.yahoo.com 587
Trying 69.147.102.58...
Connected to smtp.plus.mail.fy4.b.yahoo.com.
Escape character is '^]'.
220 smtp113.plus.mail.re1.yahoo.com ESMTP
quit
221 smtp113.plus.mail.re1.yahoo.com

telnet smtp.gmail.com 587
Trying 74.125.79.111...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP 10sm139741eyd.17
quit
221 2.0.0 closing connection 10sm139741eyd.17
Can anyone find a large commercial ESP that offers authenticated smtp on port 25, but not 587?
Please read rfc 4409. Port 465 is still in use to support some clients, but should be discouraged because it's allocated for some other purpose. 


Blocking port 25 and letting port smtps/465
open to allow users to still submit email is better, but just a
temporaray measures until botnet use smtps to submit.
Even then, it's still better. Even if you don't get to identify the botnet owner, you get to identify the owner of the compromised host - who also has some responsibility for the spam. And, you're routing the spam through an email service provider who has a contractual relationship with the owner or operator of the compromised host. 


The only think I see in this system, is to identify IPs of mail servers
via an out of band process. Like a record in the DNS. To avoid DDNS (the
ability of the compromised machine to push a record in the DNS), it
should be in the Reverse DNS or in a subdomain.

Now a receiving MTA would be able to use this filter, either the sending
MTA authenticate (MUA) or the sending MTA is recorded as a MTA in the
DNS. Now this cannot be enabled overnight, but a spamassassin filter
could give a negative score if the sending MTA is DNS recorded.




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] What are the IPs that sends mail for a domain?, der Mouse
Next by Date:  Re: [Asrg] What are the IPs that sends mail for a domain?, Gordon Peterson
Previous by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Dotzero
Next by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Gordon Peterson
Indexes:  [Date] [Thread] [Top] [All Lists]