[afnog] Filtering outgoing SPAM

Mark Elkins mje at posix.co.za
Wed Mar 25 16:32:30 UTC 2015 

Anti-SPAM SMTP Proxy is only a small portion of the cure.

I'll guess that many customer PC's have been compromised and have a
virus that sends out e-mail from your IP Block to the outside world.
I assume you already have some sort of authentication for your customers
- ie for Inbound e-mail or connecting to your access authentication
system???

One possible idea is to block all outbound SMTP at your border router
and only accept outbound SMTP from some controlled Mail Relay system.
This could be running "ASSP" or simply be a Mail System with decent
Anti-Spam software.

You then need to consider using Mail Submission. This is a port 587
service and the user sending the outbound e-mail needs to authenticate
with a username/password combination. Its over a TLS connection - so
mail is also passed encrypted from the PC to the SMTP Relay
(Username/Password is encrypted - as well as the e-mail).

This makes life very difficult for infected machines to now send e-mail.

As all e-mail now passes though a Mail Relay - you can impose quotas on
individuals, scan their outbound e-mail for virus' and start teaching
them about your AUP (Acceptable Use Policy). Users will squeal. No one
likes changes. Some larger users may try and muscle you. Don't give in -
except for large users that already run Submission services internally
(make that the criteria to "giving in").

Users need to change their outbound mail port and add their user/passwd.
The Username/Password combo ideally would be the same as for fetching
e-mail (via POP3/IMAP) and as the Mail Relay should read from the same
Database as the POP3/IMAP servers - not too much continuous user
management of passwords is needed.


I've been running Submission on my LapTop for years. Amongst the
advantages, when I travel - port 587 is (almost) always open - my
outbound e-mail goes to my own server back home - from where its
delivered - not intercepted by the Hotel's/Airports system...

Switch on SSL/TLS on POP3/IMAP services as well. Users should appreciate
the extra security. 

I've done this at a client (an ISP). They don't get blacklisted any
more. In some countries - (eg Sweden) I'm told Mail Submission is
standard operating practise for everybody.

Whilst you are adding rules to your routers - also read up on BCP38 -
and implement ingress/egress filtering - only allow traffic off your
network if the packets sender address matches your IP allocation.
Remember to add all the same filters for your IPv6 addressing.

On Wed, 2015-03-25 at 15:19 +0000, Okai, Yusif, Vodafone Ghana wrote:
> Hi Tariq,
> 
> Try ASSP
> 
> Regards

> From: afnog [mailto:afnog-bounces at afnog.org] On Behalf Of Tarig Yassin
> Sent: 25 March 2015 15:01
> To: afnog afnog
> Subject: [afnog] Filtering outgoing SPAM

> Dear Afnog

> Our Prefixes recently have been blacklisted  due to our customers keep
> sending out spam…
> 
> Is there any reliable solution “open source always preferred” which
> can handle all outgoing SMTP traffic without effecting the service?

> thanks


-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <http://www.afnog.org/pipermail/afnog/attachments/20150325/479f40db/attachment.bin>

More information about the afnog mailing list