Outbound Spam/Mail Filtering

Started by RoDDy, July 11, 2016, 12:14:12 PM

Previous topic - Next topic

RoDDy

Hi Guys,

I am currently trying to find a solution that can inspect my outbound traffic and block any that may be deemed suspicious.

I currently have a number of IP blocks that are currently blacklisted and received a few customer complaints already. In the meantime i have assigned them to a new IP subnet but would like to find something more permanent (I dont want to keep removing them from the blacklists or reassigning them) and not just a band aid solution, as it would only be a matter of time before my other blocks are blacklisted.

Do you guys know of any good solutions? I have been doing some quick searches on the net and see Fortinet has a solution and also another company i am not familiar with called Cybonet (formerly PineApp). I would prefer to have an on premise solution that i can manage myself and is transparent in terms of traffic flow.

Thanks in advance for any ideas.

-Roddy

icecream-guy

I'd be more concerned with inbound rather than outbound filtering,  let stuff go out. who really cares?  just don't let the bad stuff in.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on July 11, 2016, 12:30:03 PM
I'd be more concerned with inbound rather than outbound filtering,  let stuff go out. who really cares?  just don't let the bad stuff in.

Intellectual property security means watching that outbound stuff.

However, spam/email filters are best when on the actual email server and just block port 25 outbound. No reason anyone should be going to an outside email server from a work pc.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

RoDDy

Quote from: ristau5741 on July 11, 2016, 12:30:03 PM
I'd be more concerned with inbound rather than outbound filtering,  let stuff go out. who really cares?  just don't let the bad stuff in.

Agreed...but at present the outbound is presenting more of a problem. Inbound going to the client is at them really. They should do the right thing and invest in a decent firewall however, outbound affects be greatly. I am the ISP and i have a /24 block which i divide into /29s and /30s and give to customers for their use. When they allow their systems to be infected and it begins to send spam out, then the blacklist sites usually blacklist the entire /24 and not just the /29 they use. So one bad customer spoils the entire bunch??? lol

I am looking for an all around complete solution and as an ISP we need to tighten up in all areas. We have some checkpoint devices deployed in most of our network. I will probably contact them for this additional segment.

deanwebb

OK, an ISP scenario... Get a Barracuda? Spam filtering is basically a matter of cracking open an SMTP packet and looking at it for keywords like "Nigerian prince" or "This flashlight will AMAZE you!"
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Block port 25 by default. As an ISP the last thing you want to do is start getting involved with customer traffic.

deanwebb

Quote from: wintermute000 on July 11, 2016, 04:30:18 PM
Block port 25 by default. As an ISP the last thing you want to do is start getting involved with customer traffic.
Can't block port 25 if the guy has an on-premises email server...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

That is a bad place to be. You can filter outbound email, but the second you accidentally block valid email your customer is not going to be happy. Do you publish re-assignments with ARIN/RIPE? Some of the SPAM blacklists will use the mask in the ARIN/RIPE DB for the range. If you don't do reassignment make sure the abuse email address on the space is correct, and someone checks that mailbox. The reputable blacklists will alert before blocking. Then hold your customers accountable, if someone keeps sending SPAM then shut them down. Of course easier said than done when they pay your company money.

-Otanx

deanwebb

In fact, if there is no legal agreement in which you stipulate that you will terminate services due to abuse, intentional or due to a third party, then you CANNOT undertake such measures without permission. And then the legal/financial issues rear their heads... do they have to pay for the time you have their internet blocked? If you block port 25 only, will their service be prorated? Do you filter all traffic in this way? Does this mean that you are legally responsible if some malicious thing gets past your filtering? If someone sends an email with illegal content and it gets through your filter, and you are filtering the traffic, you can be held responsible for not blocking it if the prosecution/litigant is able to demonstrate that you are not taking due care and showing due diligence in keeping the filters up-to-date and properly functioning.


It may be time better spent to cultivate relationships with guys that run blacklists and let them know how your address space is broken down, and hope for the best on that front.

In the meantime, have your legal guys draw up new contracts that stipulate if outbound spam is detected from any IP, then email will be blocked from that IP until such time as the issue is resolved, not responsible for false positives, lost revenue, normal wear and tear, yadda yadda yadda, more legal stuff, etc... then get that contract language to your clients and have them sign off. If any refuse, work to terminate or not extend their current contract, as they represent a huge risk.

***

Another thought: just hit port 25 on all your IPs and try to use them as an open relay. If any work as open relays, contact the customer immediately to remediate. If the customer refuses or treats it lightly, inform the customer that should his negligence result in business losses to other clients of yours, you will provide those clients with his contact info so they can work out compensation for their losses... if they don't accept that risk, then let them know that you'll proactively contact your other clients with this information so that they can draw up the invoices and court petitions in advance... :evil:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

RoDDy

Quote from: deanwebb on July 12, 2016, 10:16:50 AM
In fact, if there is no legal agreement in which you stipulate that you will terminate services due to abuse, intentional or due to a third party, then you CANNOT undertake such measures without permission. And then the legal/financial issues rear their heads... do they have to pay for the time you have their internet blocked? If you block port 25 only, will their service be prorated? Do you filter all traffic in this way? Does this mean that you are legally responsible if some malicious thing gets past your filtering? If someone sends an email with illegal content and it gets through your filter, and you are filtering the traffic, you can be held responsible for not blocking it if the prosecution/litigant is able to demonstrate that you are not taking due care and showing due diligence in keeping the filters up-to-date and properly functioning.


It may be time better spent to cultivate relationships with guys that run blacklists and let them know how your address space is broken down, and hope for the best on that front.

In the meantime, have your legal guys draw up new contracts that stipulate if outbound spam is detected from any IP, then email will be blocked from that IP until such time as the issue is resolved, not responsible for false positives, lost revenue, normal wear and tear, yadda yadda yadda, more legal stuff, etc... then get that contract language to your clients and have them sign off. If any refuse, work to terminate or not extend their current contract, as they represent a huge risk.

***

Another thought: just hit port 25 on all your IPs and try to use them as an open relay. If any work as open relays, contact the customer immediately to remediate. If the customer refuses or treats it lightly, inform the customer that should his negligence result in business losses to other clients of yours, you will provide those clients with his contact info so they can work out compensation for their losses... if they don't accept that risk, then let them know that you'll proactively contact your other clients with this information so that they can draw up the invoices and court petitions in advance... :evil:

My point exactly with the legal aspect/implications Dean. I do appreciate your suggestions as I like the way you are thinking. Customers should hold some of the responsibility if they are not securing themselves well enough.

I do not want a case where customers can then have a legal case against us to say that we have not done due diligence regarding securing our network.

Perhaps you are right in that we should look more at dealing with the blacklist companies. Otanx, as it stands right now we do not publish reassignments with ARIN but will look at the feasibility of doing that. In the meantime we have gotten most of our clients to get the PTR records point to their mail server which should help a bit.




deanwebb

A number of the better blacklisters will have instructions on how to set up a mailserver to keep it from being blacklisted. Reverse DNS lookup is a huge thing, but if your clients comply with all of the instructions, they should be pretty well secure from external spammer threats.

If some idjit picks up a USB drive in the parking lot and plugs it in, though, it's a whole different ball game.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

We used Mimecast in the UK. Basically do not send or receive email yourself. Relay it all through mimecast where their powerful systems do multiple checks.

I know it can be a pain but another option could be to only allow your mail server to send email. I'm thinking that your mail server is sending legitimate traffic and a hacked PC on the inside network is sending spam.

Check your firewall or have it log and check TCP:25 connections from stuff other than your mail server.

deanwebb

Side note: I'm using spamfence for my personal account and have it forwarding good emails to an account I only log into and use the other alias as a "send as" setting. Bad emails go to my gmail account where Google has its way with the little spams.

But yes, a bulk filter with your MX record pointing to the filter is a great solution.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

The problem with all this is that at the end of the day, as an ISP, you do not want anything to do with your customers' actual mail setup. You can't very well control their domain, MX records, etc. UNLESS its part of some kind of managed services agreement. The impression I'm getting is that the OP is purely providing carriage.

In which case I believe the only thing you can really do is block port 25 and offer opt-out if they host their own mail.

RoDDy

Quote from: wintermute000 on August 13, 2016, 11:53:29 PM
The problem with all this is that at the end of the day, as an ISP, you do not want anything to do with your customers' actual mail setup. You can't very well control their domain, MX records, etc. UNLESS its part of some kind of managed services agreement. The impression I'm getting is that the OP is purely providing carriage.

In which case I believe the only thing you can really do is block port 25 and offer opt-out if they host their own mail.

Sorry I missed these posts. Thanks for all the replies.

You are correct...only carriage however, we do modify the MX records etc. at the request of our business customers. I am looking at a solution from Sandvine....not sure if you guys are familiar with it but we have a number of these boxes already deployed in other parts of the network, so if deployed we will send all traffic through there for inspection.