Deny MX queries for dynamic IP pools

Sten Carlsen stenc at s-carlsen.dk
Sun Jan 31 14:28:01 UTC 2010 

To me this seems to be a firewall/routing issue. If you know for sure
that some IP is sending spam, if you can not stop them, then at least
you can block their outgoing access to port 25.

Alternatively and maybe better arrange for a proxy server to do
filtering and discard spam. The proxy solution is actually used many
places and works reasonably well also for non-spammers.


Sven Eschenberg wrote:
> Dear Wael,
>
> In what way is blocking Port 25 any worse than blocking MX/root queries
> for clients? Both solutions neglect the fact, that spam is not a technical
> problem.
> Some ISPs think it is a good idea to forward you to a search web page,
> when you mispell some URL, this is done via DNS. Obviously, if the
> customer dislikes this, the customer will (and can) use his/her own
> recursor, stupidity of ISP solved - if the ISP would prevent the customer
> from doing this, the customer might not be a customer any longer.
>
> Just my 2 cents.
>
> -Sven
>
>
> On Sun, January 31, 2010 14:25, Wael Shaheen wrote:
>   
>> Dear DNS Experts,
>>
>> This post is intended for discussion.
>>
>> The ISP I work for has HUGE dynamic IP pools that are full of spammers (of
>> course). This huge volume of spam is actually influencing the decision for
>> some of the international provider¹s whether to give us links or not let
>> alone the bad reputation and RBLs listing etc...
>> As a solution the routing team was thinking to block port 25 for outgoing
>> as
>> some ISPs do. However, I do not see this to be a valid solution for many
>> reasons such as clients that have email servers outside, or if decided to
>> be
>> redirected to spam filters then that will just cost the company too much.
>>
>> Luckily we have two set of DNS server farms; one that is serving static IP
>> users and one that is dedicated only for dynamic IP users. The idea I have
>> proposed is to deny these dynamic users from performing MX queries.
>>
>> So instead of blocking port 25 we can redirect the DNS port to the DNS
>> farm
>> that is dedicated for dynamic users, that will guarantee that no standard
>> DNS port forwarded queries are going to external servers. Then we will
>> block
>> the MX and root queries for those dynamic clients.
>> That will prevent them from using a locally installed DNS service on their
>> machines or query MX records for targets they want to send spam to.
>>
>> Of course there will still be some challenges like if some spammers know
>> the
>> A record of the mail server they want to connect to or if they used the IP
>> address of the targeted mail server also if they used open dns that works
>> on
>> non-standard ports, but then again I believe these users will stand out
>> and
>> will be identified more easily.
>>
>> I would appreciate any comments you may have.
>>
>> Sincerely,
>> Wael
>>
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>     
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>   

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!"

More information about the bind-users mailing list