Deny MX queries for dynamic IP pools

SM sm at resistor.net
Sun Jan 31 21:18:08 UTC 2010


At 05:25 31-01-10, Wael Shaheen wrote:
>As a solution the routing team was thinking to block port 25 for outgoing as
>some ISPs do. However, I do not see this to be a valid solution for many
>reasons such as clients that have email servers outside, or if decided to be
>redirected to spam filters then that will just cost the company too much.

Mail submission is done over port 587 and not port 25.

>Luckily we have two set of DNS server farms; one that is serving static IP
>users and one that is dedicated only for dynamic IP users. The idea I have
>proposed is to deny these dynamic users from performing MX queries.
>
>So instead of blocking port 25 we can redirect the DNS port to the DNS farm
>that is dedicated for dynamic users, that will guarantee that no standard
>DNS port forwarded queries are going to external servers. Then we will block
>the MX and root queries for those dynamic clients.
>That will prevent them from using a locally installed DNS service on their
>machines or query MX records for targets they want to send spam to.

That can be bypassed as you explained below.

>Of course there will still be some challenges like if some spammers know the
>A record of the mail server they want to connect to or if they used the IP
>address of the targeted mail server also if they used open dns that works on
>non-standard ports, but then again I believe these users will stand out and
>will be identified more easily.

The idea is another variation of the walled garden.  You could look 
into doing traffic flow analysis and using feedback reports to 
identify the source of the abuse.

Regards,
-sm 




More information about the bind-users mailing list