Hi,
we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts.
All our own computers have to send mail trough our mailserver with user authentication.
From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :)
What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp?
I like to know which private computer sends lot of mail. :)
Thanks for any hint and suggestion. /Götz
On Wed, Jun 27, 2012 at 4:23 PM, Götz Reinicke goetz.reinicke@filmakademie.de wrote:
Hi,
we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts.
All our own computers have to send mail trough our mailserver with user authentication.
From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :)
What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp?
I like to know which private computer sends lot of mail. :)
Hi, 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
From the firewall log then you will know which client is infected.
2. In the case that the malware use your mailserver to send the spam, there are plugins to log how many email sent by which client. HTH
Am 27.06.12 10:29, schrieb Fajar Priyanto:
On Wed, Jun 27, 2012 at 4:23 PM, Götz Reinicke goetz.reinicke@filmakademie.de wrote:
Hi,
we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts.
All our own computers have to send mail trough our mailserver with user authentication.
From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :)
What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp?
I like to know which private computer sends lot of mail. :)
Hi,
- Many malware have their own smtp and can send spam directly.
To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
From the firewall log then you will know which client is infected.
- In the case that the malware use your mailserver to send the spam,
there are plugins to log how many email sent by which client. HTH
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ (For our own we do exactly as you suggest :) )
We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings.
But may be we have to think about that if thats the only chance we have....
On Wed, Jun 27, 2012 at 5:15 PM, Götz Reinicke goetz.reinicke@filmakademie.de wrote:
Am 27.06.12 10:29, schrieb Fajar Priyanto:
On Wed, Jun 27, 2012 at 4:23 PM, Götz Reinicke goetz.reinicke@filmakademie.de wrote:
Hi,
we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts.
All our own computers have to send mail trough our mailserver with user authentication.
From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :)
What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp?
I like to know which private computer sends lot of mail. :)
Hi,
- Many malware have their own smtp and can send spam directly.
To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
From the firewall log then you will know which client is infected.
- In the case that the malware use your mailserver to send the spam,
there are plugins to log how many email sent by which client. HTH
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ (For our own we do exactly as you suggest :) )
We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings.
But may be we have to think about that if thats the only chance we have....
Hi Gotz, I don't understand. Those "clients" are connected to your network, aren't they? Then the proposed solution 1 and 2 would work. Unless what you mean is when they are working from home, but at least solution 2 would give you a clue who send the spam.
On 06/27/12 2:15 AM, Götz Reinicke wrote:
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ (For our own we do exactly as you suggest :) )
We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings.
MSN, gmail, etc don't accept simple port 25 SMTP from random clients, they only accept authenticated SSL encrypted port 465 or whatever.
so its simple, block port 25 outbound from anything but your own mailhost(s).
Am 27.06.2012 11:15, schrieb Götz Reinicke:
Am 27.06.12 10:29, schrieb Fajar Priyanto:
- Many malware have their own smtp and can send spam directly.
To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings.
Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected.
What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you.
HTH T.
Am 27.06.12 16:08, schrieb Tilman Schmidt:
Am 27.06.2012 11:15, schrieb Götz Reinicke:
Am 27.06.12 10:29, schrieb Fajar Priyanto:
- Many malware have their own smtp and can send spam directly.
To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings.
Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected.
What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you.
Hi,
you dont know the resistant to advice of our users .... ;)
Any kind of plea fails most time, and as long as a lot of ISP and Mail-Hosters still allow and offer port 25 in the docs it is hard to tell why our users should change because we'r faced with problems.
Long story short: I advised the use of port 587 two hours ago.
FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :)
cheers . Götz fighting spam and resistant to advice
on 6/27/2012 7:26 AM Götz Reinicke spake the following:
Am 27.06.12 16:08, schrieb Tilman Schmidt:
Am 27.06.2012 11:15, schrieb Götz Reinicke:
Am 27.06.12 10:29, schrieb Fajar Priyanto:
- Many malware have their own smtp and can send spam directly.
To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings.
Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected.
What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you.
Hi,
you dont know the resistant to advice of our users .... ;)
Any kind of plea fails most time, and as long as a lot of ISP and Mail-Hosters still allow and offer port 25 in the docs it is hard to tell why our users should change because we'r faced with problems.
Long story short: I advised the use of port 587 two hours ago.
FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :)
cheers . Götz fighting spam and resistant to advice
Block port 25, and they will comply, or not send mail... People are resistant to change, until they NEED to change...
On 6/27/12, Götz Reinicke goetz.reinicke@filmakademie.de wrote:
Long story short: I advised the use of port 587 two hours ago.
FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :)
Seriously, just force them. I got so tired of one particular app/mail server that keep getting blacklisted because of lazy client admin and users, I sent them a notice that for emergency security reasons, emails will only be accepted on port 587. Gave them one hour, then closed 25.
Understandably people screamed for about another hour or so but all of them ended up on 587 by the end of the day ;)
For the last five years I have been running a captive portal gateway I developed at a number of airports to manage free wireless. There are more that 25K connection each day, and port 25 is blocked for every one of them.
Yes we get complaints, but not often, one every two or three months or so.
Before we blocked port 25 we had to go to spamhaus.org once a month, or so, to request removal of one of more of the gateway's IP addresses from their black lists.
Emmett
On 06/27/2012 09:04 PM, Emmanuel Noobadmin wrote:
On 6/27/12, Götz Reinicke goetz.reinicke@filmakademie.de wrote:
Long story short: I advised the use of port 587 two hours ago.
FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :)
Seriously, just force them. I got so tired of one particular app/mail server that keep getting blacklisted because of lazy client admin and users, I sent them a notice that for emergency security reasons, emails will only be accepted on port 587. Gave them one hour, then closed 25.
Understandably people screamed for about another hour or so but all of them ended up on 587 by the end of the day ;) _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am 27.06.12 16:08, schrieb Tilman Schmidt:
Am 27.06.2012 11:15, schrieb Götz Reinicke:
Am 27.06.12 10:29, schrieb Fajar Priyanto:
- Many malware have their own smtp and can send spam directly.
To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...] We do have about 100th of freelancers 'flying in and out' of our academy which we cant 'restrict' by forcing tham to change there clients settings.
Nobody *needs* port 25 from their client to a public server. Port 25 is intended for forwarding mail from one server to the next, not for submitting mail from a client to its server. The standard port for sending mail from a client is 587, the mail submission port. Using port 25 for that is arguably a configuration error which should be corrected.
What's more, blocking outbound port 25 is generally recommended practice and standard for many ISPs, so your freelancers will often face the same restriction on their home LAN, Internet cafe or wherever else they may want to write e-mails, adding to their motivation to fix their configuration instead of arguing with you.
Hi,
you dont know the resistant to advice of our users .... ;)
Any kind of plea fails most time, and as long as a lot of ISP and Mail-Hosters still allow and offer port 25 in the docs it is hard to tell why our users should change because we'r faced with problems.
Long story short: I advised the use of port 587 two hours ago.
FYI since than I had 169 outgoing connections to port 25 and 1 to 587. :)
cheers . Götz fighting spam and resistant to advice
Götz Reinicke wrote:
Am 27.06.12 16:08, schrieb Tilman Schmidt:
Am 27.06.2012 11:15, schrieb Götz Reinicke:
Am 27.06.12 10:29, schrieb Fajar Priyanto:
- Many malware have their own smtp and can send spam directly.
To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.
Hi, thanks for your suggestion. But for the mentioned clients thats not possible. :/ [...]
<snip>
you dont know the resistant to advice of our users .... ;)
<snip>
Long story short: I advised the use of port 587 two hours ago.
FYI since than I had 169 outgoing connections to port 25 and 1 to 587. :)
cheers . Götz fighting spam and resistant to advice
Hey, give 'em a chance. See what it's like after 24 hours. I suppose then you could tell them it's a lottery, and you'll select random users to kick off port 25....
mark
On 27/06/12 18:23, Götz Reinicke wrote:
I like to know which private computer sends lot of mail. :)
You could get your firewall ACCEPT but LOG the outgoing 25 from anything but your mailhub.
Have often wondered whether a transparent mail-proxy could be set up, similar to a transparent web-proxy, with your firewall catching all port 80 and redirecting to 8080 on your squid server. Never got around to seeing whether this was possible ...
... then again I agree with the others, blocking outgoing port 25 is the better idea, but only if it is not going to get you fired.
Cheers,
Kal
-
Emmanuel Noobadmin -
Emmett Culley -
Fajar Priyanto -
Götz Reinicke -
John R Pierce -
Kahlil Hodgson -
m.roth@5-cent.us -
Scott Silva -
Tilman Schmidt