[AusNOG] Controlling spam in IaaS environment

Chris Deigan chris at deigan.id.au
Fri Dec 2 11:22:24 EST 2016


On Thu, 1 Dec 2016, at 02:17 PM, Daniel Manzau wrote:
> We're after a bit of advice as to what general best practice is in stopping (failing that, identifying) SPAM in IAAS/Hosting type environments.

preface: I don't know of any magic box that does what you seem to want.

What is the high-level goal of what you're trying to achieve?

In the case of exploited web applications, or systems, there's a danger
in attempting to simply "block" spam that you hide a larger problem of a
system being compromised. Whilst your concern may be the reputation of
your address space (which would be adversely affected by spam being
sent), you would be doing the stakeholders of the compromised
application a disservice in not causing action to have the compromised
system properly fixed.

If I were solving this problem from scratch today, I'd probably have my
users either:
 a) Use a purpose-built service for sending mail (AWS SES, SendGrid,
 etc.)
 b) Invest the time/resources to build a purpose-configured mail relay

In the case of (b), investing time beyond a basic "working" MTA
configuration would allow you to restrict the configuration to only
accept/relay mails that match expected patterns, which could help you to
mitigate damage from an exploited application. You could also build
monitoring and/or hard thresholds to detect unusual activity.

Regardless of which route taken, I'd recommend restricting systems to
only allow outbound tcp/25 connections from conditions where it's
expected (such as the MTA daemon, but not directly from applications).

--
  Chris Deigan
  chris at deigan.id.au


More information about the AusNOG mailing list