Deny MX queries for dynamic IP pools

[Mark Andrews]

In message <C78B5F8C.46E43%wael.shahin at gmail.com>, Wael Shaheen writes:
> Dear DNS Experts,
> 
> This post is intended for discussion.
> 
> The ISP I work for has HUGE dynamic IP pools that are full of spammers (of
> course). This huge volume of spam is actually influencing the decision for
> some of the international provider=B9s whether to give us links or not let
> alone the bad reputation and RBLs listing etc...
> As a solution the routing team was thinking to block port 25 for outgoing as
> some ISPs do. However, I do not see this to be a valid solution for many
> reasons such as clients that have email servers outside, or if decided to be
> redirected to spam filters then that will just cost the company too much.
> 
> Luckily we have two set of DNS server farms; one that is serving static IP
> users and one that is dedicated only for dynamic IP users. The idea I have
> proposed is to deny these dynamic users from performing MX queries.
> 
> So instead of blocking port 25 we can redirect the DNS port to the DNS farm
> that is dedicated for dynamic users, that will guarantee that no standard
> DNS port forwarded queries are going to external servers. Then we will block
> the MX and root queries for those dynamic clients.
> That will prevent them from using a locally installed DNS service on their
> machines or query MX records for targets they want to send spam to.
> 
> Of course there will still be some challenges like if some spammers know the
> A record of the mail server they want to connect to or if they used the IP
> address of the targeted mail server also if they used open dns that works on
> non-standard ports, but then again I believe these users will stand out and
> will be identified more easily.
> 
> I would appreciate any comments you may have.
> 
> Sincerely,
> Wael
> 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Firstly, cleanup / quarantine the machines that are spamming.  This
is the best thing you can do.  A machine that is spamming is
compromised and a compromised machine can do anything.

Secondly, don't block the MX queries.  MUAs can and do perform MX
queries to check that addresses are valid before attempting to
send anything.

Thirdly, if you do block SMTP do it fully (traffic to and from port
25) and provide a mechanism to optout.  If you publish, or provide
information to those that publish, blocking lists ensure that they
reflect the optout status of any IP address that has opted out.
Blocking SMTP traffic is only masking the symptoms of the infection.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org