Re: Cisco 2611 as a firewall?

[Jonathan Q <jq@example.com>]

Thomas O'Dowd (tom@example.com) wrote:

> Why filter outgoing 25? Presumably you are trying to stop customers
> who are potential spammers from directly sending email avoiding
> your mail servers and filters. If my ISP blocked any outgoing ports
> I'd move on... I consider it basic privacy and usually throw in PGP

You realize, of course, that the only mailservers you can connect to
on port 25 outside of your ISPs network are improperly configured
ones (yes, pop-before-smtp counts as improper configuration; it's
a total kludge and we have seen it defeated by spammers), so you
are in essence arguing in favor of open relays, at least to
some extent.  Fair enough, some people think open relays are
perfectly fine; I'm just kind of surprised to see it from you.
You seem to be a fairly anti-spam kind of guy.

Any argument that anyone could ever have made for allowing
outbound port 25 from a dial pool has been taken away by the
current widespread support for auth smtp.

You'll find it more and more difficult to get an ISP that doesn't
filter outbound port 25 on their dial-up pools; many of us do it and
more get onboard all the time. 


> for good measure. Why not have a good policy against spammers instead
> and terminate them on valid claims of spam with some extra fines 
> thrown in for good measure. Freedom..

Because that only works after the fact (which means that it
doesn't work at all; it's kind of like having a law against
burglary but leaving your door unlocked; your stuff gets
stolen and probably never recovered, and all you can do is try to
prosecute the burglar after the fact); the spammer gets a freebie,
no matter what.  And that's all they want.  Spammers tend not
to use the same account for more than one or two runs, because
it gets terminated as soon as they're found out (well, not everywhere;
seem pretty soft on spam).  Secondly, it's very difficult to collect
those fines.   If you tell the spammer "We're billing you for $500
for excessive use of system resources, cleanup, and damage control" and
they tell you where to shove it (which they will), you'll spend
more than that trying to get the $500 from them, and there's no
guarantee of success.

You sound like a person who has never worked at an ISP.  You ought
to try it some time.  It may convert you to port 25 filtering quickly.
We've been doing it for about two years now, and it's pretty effective.
The few spammers we've had have been forced to go through our SMTPs
and as a result were even caught in the act in several cases and
terminated while they were still sending.  And yes, it's lots of
fun to log into the RAS, cut off the spammer, see them dial in again,
cut them off again, see them dial again, cut them off again, until
the update to their account status goes into effect and they get
brushed off by the RAS  :-) 

Jonathan