- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: blocking spam with cisco routers [7:48971] posted 07/17/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

             Priscilla brings up a good point in that this will not be easy.
The most important issue here
is as Priscilla pointed out, is going to revolve around the architecture of
your networks or the network
you use for connectivity(to the rest of the world). Some other questions
that may apply are very specific
to your email services.  If you have your own domain and don't relay any
mail for specific purposes, then
this will help, however mail directly address to your domain's users will be
delivered.  The problem here
is how do you determine who is allowed to send you email.  This is somewhat
of an impossible task because
there's no real way of identifying your SMTP-specific "Community of
Interest" (COI).

 The reason being that smtp(tcp) connections are made from any
server-to-server(your server) for the
delivery of mail.  I'm sure your smtp requirements are much like the typical
domain, in which filtering inbound mail
falls outside the area of the routed network.  It's one thing to filter a
specific hosts or number of host to
prevent the spread of a new "virus". This would still only be accomplished
through monitoring of existing smtp
traffic flows,  in which you could address the issue by resolving the source
of the infected mail traffic.
Again, the traffic is only identified based on a "criteria" which can now be
tracked or filtered.

Where I'm going with this is that the only effective way of containing
"spam" is by identifying who is sending it and
most importantly what "subject lines" are being used in the SPAM email
received.  This is important because you might
not want to block or filter all mail inbound from "" so finding
another way to identify the "spam" is very
important. I'm not sure of the flexibility of  Micro$oft's exchange to
filter mail based on "subject lines" but,  I know
that sendmail(the best mail server) through the use of the "cf" file can
aide in this process.  There is assistance in the
form of various programs that does do this type of filtering, however the
need to providing the "rules" for the filter still
falls within the area of monitoring and prevention

Currently, we use Solaris on all of our mail servers(16 of them).  We do
relay mail for all or most of our users and
with some scripting and MySql was able compile a database of the domains and
subject lines of typical spam specific
emails. All inbound email is processed through this script which will tag
the "spam" email and forwards it into a separate
mail server queue for profiling(to check the validity), before being
forwarded to the user.  We have just begun to use a program
called "SPAM Assassin" which uses our daily updated list of spammers and
subject lines.



P.S.  Please note the use of "Howard-isms" in this email..:->

----- Original Message -----
From: "Priscilla Oppenheimer" 
Sent: Tuesday, July 16, 2002 10:50 PM
Subject: Re: blocking spam with cisco routers [7:48971]

> Brad Ellis wrote:
> >
> > Yup, use an access list filtering IPs on port 25 (only allow
> > yours through)
> Yes, but, other SMTP servers for legitimate reasons are also going to be
> opening TCP sessions to port 25 because they have e-mail to send to your
> users. It's not as easy as it sounds.
> I guess it depends on the ISP's network architecture too. We have a
> challenge where I work in that our users are on cable modems that connect
> the cable provider (which isn't technically us). Their e-mail requests
> into our network on the same interface that all Internet traffic comes in
> Priscilla
> >
> > thanks,
> > -Brad Ellis
> > CCIE#5796 (R&S / Security)
> > bellis@xxxxxxxxxx
> > Cisco home labs:
> > ""GEORGE""  wrote in message
> > news:200207162256.WAA06245@xxxxxxxxxxxxxxxxx
> > > Hi all I have a question ,I configured my e-mail server to
> > only accept
> > > local e-mail, and deny other relay , however im still
> > vulnerable to
> > > spam. My question is how do the ips block other e-mail going
> > to their
> > > smtp
> > > Do they do it by access-list? Allowing only the local network
> > with port
> > > 25?
> > > Or just the e-mail server?
> > > If cisco routers have to be involved does anyone have some
> > links. Im
> > > behind a pix and would like to allow only my network to use
> > smtp.

Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx