Init Seven AG has developed a protection for it's anonymous Dial-In Access against abuse through spam.
The configuration prevents the delivery of mail directly to the MX-Host of the recipient (avoiding the SMTP Server of the ISP). This is (at least in Switzerland) a common technique by abusers.
The following configuration is free software and highly recommended to be used by other providers. Please contribute to the worldwide fight against spam.
Schematic Redirection of SMTP Traffic from Dial-in Clients
*) protected with the Dial-Spam-Block
- dynamic IP Range for Dial-In Users: 192.168.10.0/24
- IP address of SMTP Server: 192.168.20.20
(SMTP Server must not have an address from the Dial-Range!) - the SMTP Server is already protected with the
Dial-Spam-Block
Configuration of the Core Router (Cisco Syntax):
(adjust interface name to interface which is connected to the internet)
!
access-list 100 remark SMTP Redirect of Dial-Customers to smtp.providername.com
access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq smtp
!
route-map SMTP-Redirect permit 10
match ip address 100
set ip next-hop 192.168.20.20
!
interface FastEthernet 0/0
description connected to Internet
ip policy route-map SMTP-Redirect
!
!
Configuration of the SMTP Server (Linux Syntax):
(SMTP Server must support IPtables)
iptables -A PREROUTING --table nat --protocol tcp --source 192.168.10.0/24 \
--dport 25 -j DNAT --to 192.168.20.20
You might use this init script to set the iptable rules at boot time.
Feedback (English or German) to the configuration above is welcome: Please send it to Fredy Künzler. The anti-spam configuriation has been developed with support from Raffael Marty and Marco Steinacher.
Further reading regarding security: security.raffy.ch
Gianpaolo (Phlog) has done further development of this concept.
Last Edit: 20.06.2006