Thursday, 18 January 2007

Port 25 Blocking is NOT a Panacea

Increasing numbers of ISPs block the outbound SMTP port 25, requiring all outbound email to go through the ISP's official MTA, using SMTP authentication. However, ISPs that have implemented port 25 blocking shouldn't rest on their laurels.

The basic problem with port 25 blocking is the ability of botnets to subvert it. Once a PC is compromised, there's nothing to stop the virus from submitting spam to the official ISP MTA, using credentials stolen from the Windows registry or keyboard monitoring.

While port 25 blocking is useful if an ISP's only defense is outbound spam filtering, ISPs should do so much more. For example:

  • Cooperating with reputation services that list IP ranges that have no business sending unauthenticated-direct-to-MX, such as Spamhaus's new PBL
  • Recording the volumes of outbound port 25 traffic -- a sharp increase from the historical trend can indicate infection
  • Monitoring blocked attempts to use port 25 to outside MTAs -- another indication of infection
  • Disrupting botnet command and control messages
  • Moving infected PCs into a "walled garden", which prevents them from sending email, surfing the Web, or using other Internet applications until the problem has been cleaned up

No comments:

Post a comment