Deny MX queries for dynamic IP pools

Sven Eschenberg sven at whgl.uni-frankfurt.de
Sun Jan 31 14:17:02 UTC 2010 

Dear Wael,

In what way is blocking Port 25 any worse than blocking MX/root queries
for clients? Both solutions neglect the fact, that spam is not a technical
problem.
Some ISPs think it is a good idea to forward you to a search web page,
when you mispell some URL, this is done via DNS. Obviously, if the
customer dislikes this, the customer will (and can) use his/her own
recursor, stupidity of ISP solved - if the ISP would prevent the customer
from doing this, the customer might not be a customer any longer.

Just my 2 cents.

-Sven


On Sun, January 31, 2010 14:25, Wael Shaheen wrote:
> Dear DNS Experts,
>
> This post is intended for discussion.
>
> The ISP I work for has HUGE dynamic IP pools that are full of spammers (of
> course). This huge volume of spam is actually influencing the decision for
> some of the international provider¹s whether to give us links or not let
> alone the bad reputation and RBLs listing etc...
> As a solution the routing team was thinking to block port 25 for outgoing
> as
> some ISPs do. However, I do not see this to be a valid solution for many
> reasons such as clients that have email servers outside, or if decided to
> be
> redirected to spam filters then that will just cost the company too much.
>
> Luckily we have two set of DNS server farms; one that is serving static IP
> users and one that is dedicated only for dynamic IP users. The idea I have
> proposed is to deny these dynamic users from performing MX queries.
>
> So instead of blocking port 25 we can redirect the DNS port to the DNS
> farm
> that is dedicated for dynamic users, that will guarantee that no standard
> DNS port forwarded queries are going to external servers. Then we will
> block
> the MX and root queries for those dynamic clients.
> That will prevent them from using a locally installed DNS service on their
> machines or query MX records for targets they want to send spam to.
>
> Of course there will still be some challenges like if some spammers know
> the
> A record of the mail server they want to connect to or if they used the IP
> address of the targeted mail server also if they used open dns that works
> on
> non-standard ports, but then again I believe these users will stand out
> and
> will be identified more easily.
>
> I would appreciate any comments you may have.
>
> Sincerely,
> Wael
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list