Deny MX queries for dynamic IP pools

[Wael Shaheen]

Dear DNS Experts,

This post is intended for discussion.

The ISP I work for has HUGE dynamic IP pools that are full of spammers (of
course). This huge volume of spam is actually influencing the decision for
some of the international provider¹s whether to give us links or not let
alone the bad reputation and RBLs listing etc...
As a solution the routing team was thinking to block port 25 for outgoing as
some ISPs do. However, I do not see this to be a valid solution for many
reasons such as clients that have email servers outside, or if decided to be
redirected to spam filters then that will just cost the company too much.

Luckily we have two set of DNS server farms; one that is serving static IP
users and one that is dedicated only for dynamic IP users. The idea I have
proposed is to deny these dynamic users from performing MX queries.

So instead of blocking port 25 we can redirect the DNS port to the DNS farm
that is dedicated for dynamic users, that will guarantee that no standard
DNS port forwarded queries are going to external servers. Then we will block
the MX and root queries for those dynamic clients.
That will prevent them from using a locally installed DNS service on their
machines or query MX records for targets they want to send spam to.

Of course there will still be some challenges like if some spammers know the
A record of the mail server they want to connect to or if they used the IP
address of the targeted mail server also if they used open dns that works on
non-standard ports, but then again I believe these users will stand out and
will be identified more easily.

I would appreciate any comments you may have.

Sincerely,
Wael