Re: Preventing SPAMMING on ISP network

rbelchez · ‎02-28-2003

Operation Backround: We are providing Internet via satellite. We received the reply (ie. from microsoft.com, download.com or any site being access by our clients using our IP) from the Internet, then our NOC links up the information to the satellite for direct trasmission to the user PC.

Now my problem, we are receiving loads of complain about some of our clients acting as an SMTP open relay. I would like to protect our clients from spammers by setting up an ACL on our transit router so that only trusted source network can send to destination TCP port 25. We have about 12 Class C network plus customers network that will be using SMTP outside their LAN. However, I want to know if there are other best solution to protect our clients from spammers (on the network level). Kindly please advise if the solution I was considering is acceptable if not please point me to already available best practices to combat mail spamming on the ISP level (i tried searching but without luck, kindly please advise.)

Many thanks.

shannong · ‎02-28-2003

You really didn't provide much info to define a good solution. You could use an ACL to prevent the Internet at large from sending email through these mail servers, but how could you possible know and define all sources that SHOULD send to your customers? As an ISP, it's your job to inform your customers that they are open-relays and as ask them to configure their servers to deny relaying. If they fail to comply, it's also your responsibility to enforce the request by removing their services. At a minimum, you could prevent traffic to their net blocks for port 25 for those customers who fail to comply.

-Shannon

rbelchez · ‎02-28-2003

Thanks for your reply.

I was thinking of restricting port 25 to sources coming from predefined networks only. (our own allocated blocks, plus some customer blocks who will be using SMTP server belonging on our address range.I was thinking that since our clients (SMTP users) normally will be sending SMTP requests via their LAN, it will not be passing our link and only our customer's remote users who will be using thier SMTP servers are the only one's who will be coming on our link. (our customer are mostly internet cafe and some ISP's in Middle East, so if I define our customer ISP networks i have the target network who will be using the SMTP outside of their LAN). My idea is that at least i can block spammers outside of our network and our ISP customer networks. I also temporarily setup an ACL to baseline SMTP users.

access-list 111 permit tcp any any eq smtp log

I am not really sure if this setup is possible on our case. That is why i post it here to get experts opinion if this is OK, If the response i get is NOT OK..I have no problem with just notifying our clients any reported open relay we received .

Many thanks.

ods · ‎03-02-2003

If all your customers only receive email through your email servers and are only using pop/imap to fetch the email, then you should be able to filter traffic sent to 25/tcp of your customer blocks, but...

If some of your customers use their own email server, then this filter will typically kill them.

Remember that a lot a SPAM are currently sent through open HTTP Connect proxies, and not SMTP open Relays. Open HTTP Connect proxies are more difficult to filter, since you would need to filter a number of ports...

What about allowing yourself, in the AUP, to poll your customers for these kind of erronous configurations...? Sometimes problematic, but...