On 13/04/13 11:49, Moritz Bartl wrote:
On 13.04.2013 09:05, Jorge-Leon wrote:
- Allow everything (except port 25, which is reasonable to block)
- If you don't want the DMCA spam notices, use the reduced exit policy.
Please expand on "except port 25, which is reasonable to block", or point me to an explanation.
In short: We had port 25 (SMTP) open for a while, which results in a lot of spam directly sent to mailservers across the globe, which then immediately will get your IP blacklisted at a lot of DNSBLs. Many ISPs don't like their own ranges to contain blacklisted IPs, because that results in lower overall "reputation scores", and sometimes blacklistings are extended to a whole range of IPs, which then affects other customers.
Also in addition to the above it's fairly few providers that only accept on 25 and it's rarely the recommended setup. Most end user facing Mail Transfer Agents (MTA's) servers intending to receive mail from Mail User Agents (MUA's ie Thunderbird, Outlook Express whatever) will accept SMTPS on 465 or Submission usually with TLS on 587 which also have other advantages SMTPS is encrypted and Submission and both are usually authenticated in fact submission is specified as such so you can't generally dump direct mail into either unless you are a legitimate user of a valid email account carried by that server.
Thus when considering the two together: 1. The level of abuse of port 25 is incredibly large spam is pretty much the single most common abuse issue on the Internet. 2. Alternative options exist that are more secure.
For me that makes the port 25 block reasonable.