Re: SMTP Filter, blocking inbound spoof addresses
- From: "ncudmore" <ncudmore@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 6 Jul 2005 01:45:02 -0700
umm agreed if this was a full blown commercial system with a few hundred
users +, I might be looking at Spheriq or Message Labs as the destination for
my domains MX record, and then setup my external firewall to only allow
inbound SMTP traffic from their servers - um wait I did it that way at a
previous company. But this is missing the point of wanting the ISA’s SMTP
Filter to check the inbound traffic for only valid traffic.
My current config on the server is not allowing relaying of spam as
previously stated, but I can still want the unwanted traffic to be stopped by
the inside firewall (the ISA server) and not reach the network, after all, is
this not the basic point of a firewall - block unwanted traffic.
In the actual case here at home, the use of an external hardware firewall,
DMZ, ISA server then servers inside, is way over the top for 4 users, and if
I wasn’t using software I had from my MSDN subscription, and I had to
separately purchase this setup for a company and not personal use then the
whole setup might be changed, after all the existing setup could support
several hundred users.
For commercial use I might be looking at SpamAssassin with F-Prot on a Linux
box in the DMZ to solve this problem, and I may still go this route for home,
but this is missing the point of wanting the functionality of the SMTP
filter in the ISA server to be able to filter unwanted SMTP traffic on the
contents of the to, cc and bcc contents. It allows filtering on attachment
contents and other items why not this.
One of the ideas on getting things like MSDN subscriptions is allowing
people to develop systems, push the use of the systems and find limits and
ways round configurations before going on and deploying in the real world. I
also think newsgroups are an great way for people to discuss the use of these
products, and learn from each other ways round limitations of the product or
their own knowledge on how to set something up. After all it was my hope
that someone could actually come up with a way on telling me ISA can still do
what I wanted it to do, and I had just missed a way of doing it.
I like the progress made by Microsoft from ISA 2000 to ISA 2004 and like the
product. But, I can still want it to do a little bit more; after all if
people don’t want progress, and more functionality from systems, why not just
junk the lot and go back to say CPM, on the desktop, or maybe the PC was a
bad idea and we should all go back to mainframes and punched cards!
Neil.
"jiambor" wrote:
> Although this will take this out of the ISA topic, I must ask, why? What is
> the need for this? Don't allow relaying on the server. Setup your POP users
> to use Authentication when sending mail. Or better yet get rid of POP and
> get a third party to do spam scanning and then only allow that to SMTP to
> your server. I don't understand the added complexity or cost of trying what
> you've written.
>
> "ncudmore" wrote:
>
> > Umm, looks like you're getting the wrong end of the stick here.
> >
> > First off the hope was that the ISA's addin SMTP filter could actually
> > filter SMTP traffic for a listed domain(s), OK it seems it can't do it, maybe
> > on the wish list for a future version. After all the idea of a configurable
> > software firewall is the addins can be used to do these sorts of jobs,
> > otherwise I'd go back to a PIX!
> >
> > So, I suggested sticking a mail server in the DMZ which only accepts the
> > vaild inbound addressed e-mail, i.e. whatever@xxxxxxxxxxxxxx and rejecting
> > e-mail not addressed to the domainname.net. This will cut down the LAN
> > traffic and traffic thru the ISA server since only mail address to people in
> > my domain will be passed on, with the server in the dmz rejecting mail not
> > for users here.
> >
> > Adding reverse DNS checks to inbound e-mail for e-mail addressed to valid
> > users will be nominal after rejecting e-mail which isn't addressed to users
> > in the domain. 85%+ of mail coming thru the ISA server at present isn't for
> > a valid address here and is attempted relay by spammers. By using a Domino
> > server (or other mailserver) I can use a lookup on the NAB (native Domino) or
> > LDAP check for valid addresses, before passing mail to the ISA server for the
> > final pass on to the inside and the mailserver, thus dropping e-mail and not
> > rejecting which is valid domain but not for a valid user (saves on phishing).
> >
> > Reverse DNS checks on inbound e-mail won't add too much load to the internet
> > connection, since most cases the same domains contact us, so the DNS will be
> > cached, most people average a TTL on their MX records of between 60 min and 1
> > week, so even with 300 domains sending us e-mail a day (we get only around
> > 100 - 300 valid e-mails aday) that's less than 13 reverse DNS checks a hour
> > on max on an empty cache and no e-mails from the same domains, hardly a
> > massive amount, and less traffic that we currently get from spammers, which
> > is 4-5 e-mails a minute. Mind you if everyone set a TTL of 600 sec on domain
> > mx records, yes this would push the bandwidth.
> >
> > Neil [MCSE and Dual CLP]
> >
> > "Phillip Windell" wrote:
> >
> > > "ncudmore" <ncudmore@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:FB84C7D2-098F-4C9C-AEB5-92F8071C169D@xxxxxxxxxxxxxxxx
> > > > Well guess I wanted a simple check for inbound mail, on a valid inbound
> > > > domain address in the to, cc, bcc fields for mail addressed to users, and
> > > if
> > > > there wasn't a valid address in these fields to reject it at ISA level.
> > > >
> > > > Figure now the answer is to build a mailserver into the DMZ, outside the
> > > > existing ISA server, and behind the external hardware firewall, and get it
> > > to
> > > > check this, then, relay valid mail thru the ISA server, and drop mail from
> > > > people attempting to use it as an open relay.
> > >
> > > No. You only need a Spam Filtering System to do that not a real mail
> > > server. But *be warned*, checking for proper lookup of the sending Domain
> > > will create a *ton* of false positives depending on the "logic" used by the
> > > filtering software and will likely cause an overload of the Line due to the
> > > massive amount of DNS Queries made,....it isn't going to matter where you
> > > "stick" the machine (LAN, DMZ, External, Whatever).
> > >
> > > --
> > > Phillip Windell [MCP, MVP, CCNA]
> > > www.wandtv.com
> > > -----------------------------------------------------
> > > Understanding the ISA 2004 Access Rule Processing
> > > http://www.isaserver.org/articles/ISA2004_AccessRules.html
> > >
> > > Microsoft Internet Security & Acceleration Server: Guidance
> > > http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> > > http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
> > >
> > > Microsoft Internet Security & Acceleration Server: Partners
> > > http://www.microsoft.com/isaserver/partners/default.asp
> > > -----------------------------------------------------
> > >
> > >
> > >
> > >
> > >
.
- References:
- SMTP Filter, blocking inbound spoof addresses
- From: ncudmore
- Re: SMTP Filter, blocking inbound spoof addresses
- From: ncudmore
- Re: SMTP Filter, blocking inbound spoof addresses
- From: ncudmore
- Re: SMTP Filter, blocking inbound spoof addresses
- From: jiambor
- SMTP Filter, blocking inbound spoof addresses
- Prev by Date: RE: Problems Displaying Web Pages
- Next by Date: ISA as a gateway for netmeeting
- Previous by thread: Re: SMTP Filter, blocking inbound spoof addresses
- Next by thread: Re: SMTP Filter, blocking inbound spoof addresses
- Index(es):
Relevant Pages
|
