Block Port 25 or not ?

We are an ISP with over 6000 IPv4 addresses and I see, over 2000+ IP are already on PBL, almost 3 of the /22 are completely showing on PBL list.
How to avoid this happening or get the whole block whitelisted by PBL ?

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router.
is that a solution ?

But I guess, every customer outlook will stop working.

I checked this,
http://wiki.mikrotik.com/wiki/How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output

But Im afraid, whether to block or not.

An option is writing a script that pulls IP’s off a PBL and updates your block list, later you can inform the user that he might be infected with a virus and limit his service until he takes action, some ISP’s do this, not the best option since PBL tend to put the whole subnet in rather than a specific IP.
Another option is to monitor traffic per specific user on port 25, legitimate users don’t send tons of messages hence low number of packets per given time, if you see an abnormal increase in traffic on port 25 then its safe to assume that the user might be a spammer, just like that script you provided.

So put the script as wiki ?

Yes try that, however not to disturb service first monitor how the script behaves and if it yields results then implement it.
Don’t just jump right in

Oops, I still fear.
Lets wait for some more insights.

The first step should be monitoring which IP usues 25 port and make some statistics and then you can inform “suspected” users that they generate traffic on port 25 and ask them to check if all is configured properly.

So goto PPPoE router and goto CONNECTION TRACKING and see, who are connected to port 25 ?
And inform them ?
Isn’t there a way, we can block 25 completely from the PPPoE router and then when someone emails us asking about it, we simply unblock the 25 for him for his MAC address only ?

No, it won’t. Or at least it should not. Nowadays, no ordinary customer should have legitimate reasons to make outgoing connections to port 25/tcp, unless they are running their own mail server. Most email providers use alternative ports for client ESMTP (587/tcp and 465/tcp - the latter is not officially assigned but is a de-facto standard anyways), which also usually assume mandatory encryption and authentication.

So, I’d suggest asking business customers if they are running an on-premises mail server, then allow outgoing 25/tcp for those who are, block for everyone else.

All the customers are either using Godaddy or Hostgator mostly for their websites and emails.
So, they goto Outlook and enter their hostgator IMAP email server details.
So, if I block port 25, will they stop working ?

No, they won’t. Quick google search shows that both Godaddy and Hostgator use 465/tcp for mail sending.

Let assume that you manage list of allowed sources of SMTP,POP etc traffic and this list is named TRAFFIC_MX_ALLOW then you can record all mail traffic sources originating from non allowed IPs in TRAFFIC_MX_SRC list with 4h time-out

add action=add-src-to-address-list address-list=TRAFFIC_MX_SRC address-list-timeout=4h chain=forward dst-address-list=!TRAFFIC_MX_ALLOW dst-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp

or

add action=add-src-to-address-list address-list=TRAFFIC_MX_SRC address-list-timeout=4h chain=output dst-address-list=!TRAFFIC_MX_ALLOW dst-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp

To block all mail traffic except allowed IPs you need simple rule:

add action=reject chain=forward dst-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp src-address-list=!TRAFFIC_MX_ALLOW

or

add action=reject chain=outputt-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp src-address-list=!TRAFFIC_MX_ALLOW

And the last step is to update TRAFFIC_MX_ALLOW list of IPs.
That’s all.

P.S.
Adjust port list to your needs.

Do not try to unblock entire customer subnets on PBL’s. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.

This is a good suggestion.
So, I should better host a mail server myself and use it as SMTP relay ?
Then email all customers to use that as outgoing server ?
But isn’t that too much load for my mail server ?

I think I should better block them port 25 and then wait for emails of customers.
Whoever says, outlook not working.
Simply ask him to use SSL with 465 port.

No, just advertise it passively on your website. Your customers can continue with their current settings. If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.
You will have to invest time and material for your email server, but at least this infrastructure is under your control. And you’re not the one to blame.

Okay let me ask my developer if he knows about it. Very confusing

Not true in 100% …
If PBL blocks whole subnet instead of particular addresses then it backfires on “good guys”. They have no chance to remove themselves from PBL as subnet is owned by ISP and they are not guilty but they have to “serve” sentence.

It is better to prevent than to cure …

Whats your final suggestion ?
Yes, I can see the complete /22 is showing red in PBL.

As /22 subnet owner try to remove whole subnet from PBL.
Check who is responsible for mail traffic.
Warn/inform users from the top of the usage list about problems.
Block 25 port … leave 587 open

You need to choose: difficulties for customers or blocked subnet …

“To ban or not to ban ? That it admins’ question”

So, 1st step is block port 25.
And when you said, check who is responsible, means check on connecting tracking, which customer IP is using the port 25 mostly ?