From: Arthur E. I. <Art...@ms...> - 2013-07-31 21:20:48
|
"Sallee, Stephen (Jake)" <Jak...@um...> wrote: >I almost want to leave it, I have wanted to shut down SMTP from my public >NAT for a long time but each time I do, some users throw a fit because >they have software that wants to act as a SMTP server ... BUT ... this >way, it still doesn't work ... and, I can say I didn't do it. > >Is that bad? I have blocked all inbound and outbound port 25 traffic on our networks for years, except for the legitimate SMTP servers. We even use outbound port 25 traps from our firewall to quarantine infected computers before other methods detect them. If you Google around, you will find that most ISP's these days block port 25, and tell their customers to relay through port 465 or 587 authenticated with whoever their mailbox provider is. There are dozens of web sites showing how to set up SMTP relaying through a Gmail account. Many moons ago, I served on a panel at a (USA) Federal Trade Commission event about spam and e-mail authentication in Washington, DC. During a lunch break one day, I met a network engineer from a branch of our military, and suggested that everyone blocking port 25 at their border routers was the cleanest fix to the spam problem. He said good luck with that, because the military doesn't even have a map of their authorized SMTP servers and the last thing that he'd want to do from a career perspective is block some general's personal e-mail server. Once the shock passed about the military not knowing who is using their networks, I had an even scarier thought. These are the same people that are keeping track of nuclear weapons! We had problems with peer-to-peer piracy like many other schools, but being a private institution are a little more hesitant than a public school to block something that might annoy the students without a good reason. After years of playing DMCA take-down games, I pulled a report from our packet shaper showing that only 6 students were active P2P users. There were not riots in the hallways when they came back from Easter break and none of their P2P software worked any more. Anyway, let me bring all of this rambling back to a point. My suggestion is to log everyone using port 25 for a week, and see how many people are impacted. If it is as few as I suspect, do something that even our mighty military can't and block port 25 on your network... -Arthur ------------------------------------------------------------------------- Arthur Emerson III Email: em...@ms... Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave. Fax: (845) 562-6762 Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11 |