Re: [Asrg] What are the IPs that sends mail for a domain?

Ian Eiloart <iane@sussex.ac.uk> Mon, 22 June 2009 12:01 UTC

Return-Path: <iane@sussex.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FBEE3A6B27 for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 05:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.535
X-Spam-Level:
X-Spam-Status: No, score=-2.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nnfi8+8h66GT for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 05:01:18 -0700 (PDT)
Received: from lynndie.uscs.susx.ac.uk (lynndie.uscs.susx.ac.uk [139.184.14.87]) by core3.amsl.com (Postfix) with ESMTP id 8557D3A69B9 for <asrg@irtf.org>; Mon, 22 Jun 2009 05:01:18 -0700 (PDT)
Received: from lewes.staff.uscs.susx.ac.uk ([139.184.134.43]:50099) by lynndie.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <iane@sussex.ac.uk>) id KLN2S5-00065V-CQ for asrg@irtf.org; Mon, 22 Jun 2009 13:02:29 +0100
Date: Mon, 22 Jun 2009 13:01:22 +0100
From: Ian Eiloart <iane@sussex.ac.uk>
Sender: iane@sussex.ac.uk
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <BF2C35FBBFC2EA6512EF0020@lewes.staff.uscs.susx.ac.uk>
Originator-Info: login-token=Mulberry:01dpHGZd/yNMq3/hrH4rfpBjnY3Annv9m36/w=; token_authority=support@its.sussex.ac.uk
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2009 12:01:19 -0000

--On 21 June 2009 09:33:27 +1200 Franck Martin <franck@avonsys.com> wrote:

>
> yes I'm not sure that blocking port 25 will ever be possible. I think
> less and less people want their mailbox tied up to an ISP, this is why
> they get a mailbox on yahoo, google, etc... So these services requires
> you usuallyusualy to connect via port 25 and authenticate, but that means 
for
> the ISP to let port 25 open.

No, they don't. Both allow you to use port 587, as do AOL and Hotmail

telnet smtp.mail.yahoo.com 587
Trying 69.147.102.58...
Connected to smtp.plus.mail.fy4.b.yahoo.com.
Escape character is '^]'.
220 smtp113.plus.mail.re1.yahoo.com ESMTP
quit
221 smtp113.plus.mail.re1.yahoo.com

telnet smtp.gmail.com 587
Trying 74.125.79.111...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP 10sm139741eyd.17
quit
221 2.0.0 closing connection 10sm139741eyd.17

Can anyone find a large commercial ESP that offers authenticated smtp on 
port 25, but not 587?

Please read rfc 4409. Port 465 is still in use to support some clients, but 
should be discouraged because it's allocated for some other purpose.

> Blocking port 25 and letting port smtps/465
> open to allow users to still submit email is better, but just a
> temporaray measures until botnet use smtps to submit.

Even then, it's still better. Even if you don't get to identify the botnet 
owner, you get to identify the owner of the compromised host - who also has 
some responsibility for the spam. And, you're routing the spam through an 
email service provider who has a contractual relationship with the owner or 
operator of the compromised host.

> The only think I see in this system, is to identify IPs of mail servers
> via an out of band process. Like a record in the DNS. To avoid DDNS (the
> ability of the compromised machine to push a record in the DNS), it
> should be in the Reverse DNS or in a subdomain.
>
> Now a receiving MTA would be able to use this filter, either the sending
> MTA authenticate (MUA) or the sending MTA is recorded as a MTA in the
> DNS. Now this cannot be enabled overnight, but a spamassassin filter
> could give a negative score if the sending MTA is DNS recorded.



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/