New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Block outgoing SPAM on network layer
Hello,
we are looking for a solution to block outgoing SPAM from our network.
The idea we have thought of is to create a port-mirror of the traffic whose destination is port 25 to a Fortimail or similar equipment (any recommendation?).
This device should only analyze the SPAM and send all the traffic to blackhole, since the original traffic (not port-mirror) is the one that is routed to the Internet.
Initially we want to have data analytics, i.e. to know from which of our IPs SPAM is being sent in order to cut the service to our customer.
Thank you.
Comments
If they use STARTTLS then your solution will stop working, and if you MITM the transaction to prevent that, you'll probably piss off a lot of legitimate customers.
Do the port-mirror and look at the traffic with WireShark. The spammers will immediately become "visible". Easy and totally free solution.
I’m pretty sure you shouldn‘t intercept traffic of customers. And im pretty sure you aren‘t allowed to scan mails under GDPR (which you have to follow) without the consent of customers. Block port 25 and tell customers to use mailgrid, AWS or similar.
Intercepting outgoing port 25 shouldn't cause too many issues on default configuration mail server e.g Exim/Postfix don't care if the recipient server got SSL/tls or non (plain text) or if the cert is self-signed or even invalid wrong domain on default configuration it doesn't validated it.
The issue you will run into will be a privacy issue as some users won't like the idea of the provider sniffing/scanning all they're outgoing mail the easy option is just block 25 and possibly whitelist on request for trusted users.
Yeah but it's nothing OVH hasn't done network wide in the past to surprisingly little pushback. Heficed either does or did it for a while too.
You could simply just block mailing entirely, and offer a “free SMTP relay” with some basic spamassasian filtering outgoing messages? @jar has always open sourced his awesome rules for it.
The objective is to identify a SPAMMER before the IP is blacklisted.
I refuse to think that with the advances in IA, it is not possible to identify patterns that spammers produce by simply analyzing network flows.
If someone does thousands of DNS MX resolutions and sends thousands of TCP SYN packets to the 25/tcp it is pretty obvious something very suspicious is going on
That's a good starting point
Although I'm looking for something a bit more advanced and professional, I'd like to avoid having to program my own crappy script.
If you want professional talk to MailChannels and Vade Secure about network appliances. They both do this stuff. No one is doing anything in this space that would be considered affordable so hopefully the budget isn't small for it.