Educause Security Discussion
mailing list archives
Re: blocking port 25 at the border?
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Thu, 23 Aug 2007 19:55:08 -0400
Bob Bayn -
We have managed port 25 (SMTP) at the border for about 2 years
outbound and 3+ years inbound.
Primarily system administrator managed mail servers are the systems
transmitting and receiving SMTP on TCP port 25.
There are a few exceptions and a formal procedure (and web form)
exists for requesting an inbound or outbound exception.
There are quite a few more local e-mail systems but most of them have
owners who have decided that they do not need to
receive email directly on port 25 from the Internet nor xmit directly
to Internet email servers. Therefore most internal servers
have their DNS names and/or domains MXed to our public mail relay
servers. The very few that don't have primarily policy-
based reasons for requesting an exception (e.g. they can't be bound
by our 20MB file size limit, anti-virus/anti-spam, etc.) &
we allow these exceptions.
We blocked SMTP originally to cut down on spam complaints (both
internal and external) generated by both "rogue" and
"accidental" mail servers but the anti-spam/malware/phishing scanning
funnel which now covers most of campus has proved
to be even more valuable.
fYI - one way to distinguish between a Storm infected PC and a Skype
node (both can generate a lot of UDP traffic to many
IP #s on the Internet) is that a Skype node will usually be listening
on 3 TCP ports - port 80, 443 and a random port above
1024. The service listening at these ports will usually answer a
probe with string 'GET /' with the response :
HTTP/1.0 501 Not Implemented
- H. Morrow Long, CISSP, CISM, CEH
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
On Aug 23, 2007, at 5:08 PM, Bob Bayn wrote:
Do you regulate port 25 at the border?
If so, what is your procedure for allowing an exception
(for a legit email server)?
What administrative approvals were required at your
institution before you could regulate port 25?
IT Security Team
Utah State University