[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-users
Subject:    Re: spamcop.net tactics
From:       Aaron Grewell <AGrewell () uwb ! edu>
Date:       2005-11-21 19:06:05
Message-ID: 1132599965.22017.20.camel () cygnus ! uwb ! edu
[Download RAW message or body]


> Seems to me like setting up a firewall or network logger should make it
pretty 
> easy to see what is sending out inordinate amounts of traffic on port 25.
Or 
> you could just block port 25 outgoing as a matter of policy and force
people 
> to go out through the university mail servers.  No one should be sending 
> email directly from a residential machine anyway.
> 
> It may be difficult either politically or technically, but it's not
spamcop's 
> job to police your network for you.  It's spamcop's job to help its
customers 
> deal with *their* spam problem - that you're apparently (if unwittingly) 
> helping to cause.
> 
> University networks are pretty well known to be swiss cheese as far as 
> security goes.  Yours is probably no exception.  Fix that problem and your

> spam problem should be fixed along with it.

It's a nice thought, but if it's anything like our environment we're not
actually allowed to fix it (we don't control the routers etc) so that's
not an option.  My suggestion is to ask the network folks for a
mirroring port on your WAN router and monitor it carefully for abuse.
Ask your users to register non-campus equipment with the helpdesk.  You
may be forced to resort the the LAN Mafia routine a few times, but as
the users begin to understand that you can shut them down if you need to
(block them at the DHCP server or whatever resources you do control) you
should be able to get more cooperation since it reduces inconvenience
for them if something bad does happen.  We find our monitoring system
(NTop, Snort, etc) to be invaluable for dealing with this sort of thing,
and you may be able to use SpamAssassin with a mirror port to check
outbound mail through the WAN link if you set it up right.  I haven't
tried that but it's probably worth a shot.
[prev in list] [next in list] [prev in thread] [next in thread]