Posted on 09/17/2007 6:13:24 AM PDT by webschooner
This is so true, and why it's so important to only allow outgoing port 25 traffic from mail servers on your network, a legitimate mail server. Allowing any host access to the internet over port 25 can and probably will get your domain 'blacklisted'.
"With traditional mail this is true but the storm net you have so many clients sending it from, literally, all over the world the end solution is mail server content filtering.."
The Linux email filter I spoke of absolutely does this, and very well. Postfix is the MTA on the server, it uses a daemon known as amavisd-new for content filtering, and amavisd uses spamassassin, which runs defined rules based on characteristics and Bayesian rules/learning based on probability, along with various plugins for scoring messages. The system can use antivirus software to scan all messages, I use clamav on ours. I'd love to see how my box would do against the "storm net". I've watched it withstand 800+ messages per minute for a few minutes during a dictionary attack once, and it barely went over 1/2 of it's available resources. If they did that with image spam though we would be a dead duck =). OCR checking on images is a bigtime load on the processors.
On our network I have all incoming traffic NAT'd to my Linux email filter, and all 'clean' messages get forwarded to our internal email servers where user mailboxes reside. I also use the email filter as the outgoing mail sever, having it scan outgoing mail for virii, and only port 25 traffic from this server is allowed to access the internet from inside our network. Doing this also allows our PTR and MX records to match, resulting in positive reverse lookup verification from other mail servers on the net.
Incoming email is nearly always received on port 25. This means someone has to send it on port 25. Ordinary users bypass this simply by sending mail to their Internet provider’s mail server, which forwards it.
If you can’t send on port 25, you have to use a relay.
http://oit.nd.edu/email/port25_block.shtml
Relays and mail servers that send spam can be traced and shut down. The problem is that it millions of zombies acting as mail servers cannot individually be traced and shut down. The answer is not to allow ordinary users to act as mail servers. This ought to be an optional, revocable privilege.
We have our firewall configured to only allow mail servers access to the internet on port 25. Long ago we had it open to any host, and one day we had reports from some users that their email wasn't getting to where they were sending it. I went to dnsstuff.com and found that our domain had been blacklisted for being a spammer. I checked the firewall logs and found the offending infected machine. It was a laptop an executive brought in having just returned from a trip to China. lol after that we made the before mentioned configuration on our firewall, and another rule that any mobile computers returning from China had to be 'checked in' before being allowed to connect to our network. ;^)
Check your firewall configuration again. The default is to block all incoming ports except for the few that are required for services, bit to allow any outgoing requests.
Simply put, this allows PCs to act as sending mail servers.
You legitimate mail server is blacklisted because it has the IP address seen by the public.
Good PC firewalls, like Zonealarm, block all outgoing services except for the ones you specifically allow. hardware firewalls can do this, but the ones I’ve seen don’t do this by default.
JS,
Your understanding of TCP/IP seems shaky, when you establish a session on tcp/ip the two systems have to be on different ports. Thats why the netstat I posted earlier had the receiver on 25 but the sender was 12007. The page you sourced explained exactly why you should not on an ISP block port 25 outgoing
"A mail server is like an electronic post office that gets all the mail for a particular organization. Blocking SMTP (Port 25) will prevent email from Notre Dame computers from going to any other mail servers on the Internet UNLESS it first goes through the central Notre Dame mail servers or a departmental/personal mail server that has been added to the"
This might be fine on a college mail network but if Im using At&t for my cable modem but AOL, Yahoo, or Gmail, or my companies mail server (which is not altogether uncommon) configuration you stop the person from sending mail to their mailserver.
That happened at work, and was a long time ago. At the time, it was early in the days of malware sending spam, and we learned the hard way. We don't use PC firewalls, as a matter of fact we don't allow them because they interfere with remote administration and some of our apps. We use either Cisco PIX 515s or Linux boxes running IPtables or Squid(for web traffic) on the DMZ and on the perimeter of our network(s).
The object isn't to block you from using your ISP's mail server as a relay. That's one of the things you are paying for. The object is to block you from sending mail without using your ISP as a relay. Looking into it, it's a bit more involved than I thought, but it can still be done. The ISP can't simply block port 25, but they can limit it to messages addressed to their server, intended for relaying.
I learned that the box in Exchanged labeled “You probably shouldn’t check this box” should always be checked. You can’t send delivery failure notices any more.
"The verdict, which may be appealed only on points of law and not of fact, could force Microsoft to change its business practices."
Kangaroo Kourt...
Wow. There are anti-trust laws?
Let me guess... You think that’s dandy?
LOL Why doesn't that surprise me....
The the benefits and protections afforded to corporations by the government merit some regulation. Nobody on FR thinks MS is not entitled to go out there and earn 99% of the OS market but they should not use that to push people out of other markets.What did they do, hire Hugo's thugs to "push people out"? The article says they used "marketing" as an unfair tactic. Really! Sounds like those fun German laws where you can't name your competitor in a derogatory manner in your ad.
MS for years has resisted the market demand for them to publish a robust API for windows....HUH?
What can't you do in Windows?*
MS has the most robust developer support on the planet.
They know that the KEY to platform success is to have people write useful applications for it. Unsurpassed developer support helped them become a "MONOPOLY".
* Please get as technical as you wish, I'll let you know if I can't keep up.
Are you upset because people mostly prefer MS over the alternatives? I don't understand all the MS bashing these days, other then the good old "they're big and rich therefore I hate them" attitude. People can use Macs or use Linux if they feel those will better serve their needs.For all the complaining people do, at the end of the day MS is still cost effective for most folks and that's why it's used most.
High marketshare doesn't equal monopoly. Even then a monopoly isn't illegal, or even necessarily bad. It's anti-competitive abuse of monopoly power that is bad and illegal, and Microsoft has been convicted of it on three continents.Review the landmark Alcoa Anti-Trust case. Depending on the political tides, all business are guilty of anti-competitive practices. They're so loosely written that it's like making breathing illegal.
Scenario #1: You and I both sell widgets. You price your widget at $1 and me at $1.01. We've determined that the market will bear that price.
You raise your price to $2. I don't.
You are guilty of "Price Gouging". Nothing will happen unless you become a big company that make a lot of people happy.
Scenario 2: You sell your widget for 50 cents. I stay at a buck. You're guilty of "Predatory Pricing".
Scenario 3: You and I continue to sell our stuff at roughly equal prices. We're both guilty of "Price Fixing".
Once you get big enough, bureaucrats with a complex can charge you. Oh, buy you may say that that you have to have e-mails between us proving this. Not so. Big successful companies who dominate a market know all the same players in the metrics and analysis part of their business. If they are successful they will know and deal with these people all the time. You also are keenly aware of my pricing and I yours. That, in itself proves it.
Anti-Trust is the most subjective law ever passed.
You wanna have some fun? Tell a Frito-Lay (huge "Monopoly") exec that some local potato chip maker is going tits-up. They have been propping up competitors for decades trying to keep the Elliott Spitzers at bay.
How about (hypothetical) I like writing server software that communicates with clients, and I have a very good piece of software that fills a need not yet addressed.Yada yada. They don't HAVE to tell you ANYTHING. Who wrote Windows? Do you have any claim to it?
You have some interop C/S software? Do you have an obligation to give me the code? What if you become successful? (See above)
But, they do. (A lot of 3rd party software communicates with clients)
Oh great so were going to stop spam by having ISP mail servers act as an open relay for comps on its subnets? Asking users to set up their mail clients to relay is less complicated then getting them to patch their dang servers?
Looking into it, it's a bit more involved than I thought, but it can still be done
Right so I have to relay mail regarding my job which might be privileged through a third party relay server?
The ISP can't simply block port 25, but they can limit it to messages addressed to their server, intended for relaying.
As a customer if they start telling me that I have to send my mail through their servers Ill be looking for another provider..
You realize, I hope, that FR runs on Linux.So what?
What many people don’t seem to understand is this: while a monopoly is perfectly legal, leveraging that monopoly to take over new markets is not. And that’s what MS is always trying to do.As new technologies emerge, new markets emerge. Is Microsoft supposed to stay out of those markets.
Perhaps MS could stay in the good graces of the Spitzers of the world if they just didn't fix and improve their software?
Again, the functional equivalent of breathing.
ALL business look to new markets. Even within "Windows", there are new ways to do old jobs. New applications. New technolgies. Remember when TCP/IP was new (to the desktop)? Should MS have stayed out of that?
With Vista being such a huge bust for so very many reasons, I predict Linux to have 10% of the OS market within 5 years and as much as 25-30% within 10 years. Maybe more.
I find that most people who turn to government regulation as the answer to MS claim that MS duped, stole, bought or that people are just too stupid and therefore their rights must be taken away.
Some claim even the corporate charter itself once adopted puts all companies at the mercy of the government.
These of course are false and your assessment is correct.
(1) They made OEM's an offer they could not refuse! Either you dont put netscape on your systems or well raise your rates for windows to the point where you cant compete
(2) They often put useless hook in the OS itself to break other software 'Dos aint done till lotus wont run
(3) They violated a contract with SUN for the purpose of breaking the write once run anywhere property of Java.
I disagree with this decision, MS should be free to bundle anything together but this does not change the fact that in the past they went over the top.
MS has the most robust developer support on the planet.
Funny then that they wanted until they were well established as a dominate OS *and* were found guilty of aof abusing their monopoly?
"In an effort to comply with its proposed consent decree with the U.S. Department of Justice, Microsoft announced the official enactment of uniform licensing terms for OEMs on Aug. 1, and an expansion of its technical disclosure efforts including plans to reveal 385 additional Windows application programming interfaces and proprietary communications protocols." ( August 2005 )
So MS kept their API's in house allowing them to write programs for windows superior to what could be done outside of Microsoft. That is using one monopoly to abuse companies in another sector..
Well, I have no response to that. I confess that because of my own family's experience of being the "big bad guy" in a monopoly case I have a bad taste over the whole concept of government getting involved to "level the playing field".
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.