SMTP Port Blocking: Success or Failure?

We are considering filtering outbound SMTP traffic from our ISP
customers, except from our own mail servers, to help reduce the amount
of spam originating from our network. How successful/unsucessful has
implementing outbound SMTP filtering done in stopping or slowing down
spam from your network?

Also, if outbound SMTP filtering has not worked for you, are there any
other things that you have implemented that have helped with spam
traffic?

Thanks,

= TC

If you mean on Dial customers this sort of thing has been very helpful,
add (as the previous conversations on this have shown, outbound to the
dial user filters permitting source port 25 from your mail complex alone
as well.

Quoting "Claydon, Tom" <Tom.Claydon@DobsonTelco.net>:

We are considering filtering outbound SMTP traffic from our ISP
customers, except from our own mail servers, to help reduce the amount
of spam originating from our network. How successful/unsucessful has
implementing outbound SMTP filtering done in stopping or slowing down
spam from your network?

What about rate limiting SMTP traffic rather than blocking it? That could allow
legitimate use for most private customers, while preventing bulk traffic.

Capping the number of messages per customer in the ISP mail server would
probably also be a good idea, I hear more and more bulk traffic is being sent
through ISP mail servers.

Cheers,
Ketil

What about rate limiting SMTP traffic rather than blocking it? That
could allow legitimate use for most private customers, while
preventing bulk traffic.

Comcast has been doing something like that, looking for spikes of SMTP
connects and blocking when they see them, done at the IP level. I
can't say that I'm overly impressed with how well it's working, but
it's better than nothing.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.

Claydon, Tom wrote:

It depends on your customer base. For residential customers, filtering outbound port 25 is considered acceptable. For business customer, not so. In my case, I deal with the latter. It can be problematic, because business computers do become part of part of some spammer's botnet. That means in a given week I spend a few hours informing clients about infected machines, when I should be working on something more productive. Conversely, there are problems when clients send out spam through our legacy mail servers, particularly when those connections come through NAT'ed environments. If that NAT'ed network has hundreds of hosts behind it, it can be extremely difficult to get a client's support staff to even work on the problem, because I cannot provide them with the specific details they need to locate the problem machine (and most lack the skill or will to learn to use network analyzers like Ethereal to narrow the field within their network). Therefore, I've put together a new mail system that only allows SMTP relaying once they've been authenticated. That leads to more issues, particularly with devices like printers or outdated software which cannot properly do SMTP-Auth. But as long as the majority use SMTP-Auth, it becomes a lot easier to trace problems then now.

At Portland State University, we saw a huge reduction in outgoing spam
when we blocked port 25, even with liberal exceptions for everyone who
said they wanted one. According to SenderBase, the mail volume from
our /16 dropped by half (5.3 to 5.0) . I don't think there was any
significant drop in legitimate email.

There have been a few problems with ISPs that don't accept submission
or SMTPS, but the support burden for that is way less than responding
to all those spam complaints, and way less than the burden if our
campus had been widely blacklisted (and I think we must have been
pretty close.)

---David Burns

We put our blocks in place some time ago, Mainly on the Cable Modem side. We found
our userbase was very prone to becoming zombie agents for spam. We did
enhance our static i.p product by allowing statics to have port 25 open, this
averted any real business class customers to continue to function.

The benifiet was seen pretty quick here, That in combination with
some throttles permiting the standard customer only to send 400emails
in a hour has cleaned us up pretty significantly.

Jason

On Sat, Feb 26, 2005 at 07:04:26PM -0600, Claydon, Tom stated

How effective is rate limiting - can anyone from Comcast reaply to me
offlist, I would be very intersted in results ...

PR