OT: RE: SMTP Relays...

From: Patrick/VCM SysOp <patrick_at_vintagecomputermarketplace.com>
Date: Thu Sep 2 16:08:08 2004

> >>> ISPs are also dealing with worm- and bot-infected servers
> >>> and clients on their networks spreading email-based
> >>> infections or becoming remote platforms for spamming.
> So block/shutdown the offenders, not the valid users!

Uh, I guess I missed the "I'm a white-hat packet" bit in RFC 793. :-)

They do block the offenders, but of course, they don't know who they are
until damage is being done, or after. I think it's clear that closing
outbound port 25 is first-order defensive damage control in their view.

Think about it: if you were to get on <unnamed-ISP's> site right now and
sign-up for a dial-up account (assuming no outbound filtering), how much
email do you think you'd be able to push through that connection before they
noticed and turned you off? Maybe, MAYBE they're monitoring bandwidth
closely enough to detect the pattern, but still, you'd be at the noise level
in that network for quite a while. More likely, they won't really notice
until their abuse_at_ mailbox is stuffed with four-letter expletives. I'm
guessing you could easily get a few hundred thousand, maybe even a million,
out, and perhaps even cancel the account before anybody noticed the
activity. To add insult to injury, do it on a bunch of the ISP's stolen
accounts you bought from a guy who ran a phishing scheme. Or maybe just
don't pay the bill, or pay it on a stolen credit card so the ISP gets the
extra fines of a chargeback in addition to having to eat the operational

> >>> There has to be a balance.
> I see NO balance here.

You're not being objective, IMHO. So, are you telling me your clients will
know the difference and prefer to pay a higher price to have free access to
port 25, at the cost of subsidizing the ISPs increased staff and expense to
source and operate the kind of monitoring that can tell, in unfiltered real
time, what's good traffic and what's bad (deterministically, I might add,
lest they again incur your wrath), and crisply manage the thousands or tens
of thousands of its customers who are unwittingly running mailbots and can't
figure out how to stop it or deal with it?

> If a person is unable or unwilling to do a competent job,
> they would not survive long at my firm. The comment was
> perhaps inflammatory, but I still do not see how this
> provides any benefit
> other than
> Treating a symtom rather than a cause [which MAY be cheaper].

I agree completely with this, but unfortunately it's all we've got right
now... Band-aids. There are fundamental flaws in the protocol that need to
be addressed, and beyond that is the migration of every client and server to
those newer or updated protocols. The protocol was fine when duty and honor
ruled the Internet. That was short-lived, and the new reality is that an
unauthenticated protocol will be abused to the very limits of its
capability, even to the eventual exclusion of its legitimate use.

> Yes a VPN (or even SMTPS) will adress this issue. What has me
> really "hot
> under the collar" right now is that CableVision
> (optonline.net) did this
> over the weekend with NO NOTIFICATION!

Earthlink did the same, and I'll readily confess that I was pretty steamed
when they did it, until I had time to reason it out, understand why, and
come up with a workaround that I was satisfied with. But I didn't like
being surprised by it.

But now that several large ISPs have undertaken this practice, I can
honestly say that I do see a reduced volume of spam from cable, DSL, and
domestic dial-up connections into our network. It has done nothing to
reduce volume from non-US providers, though, of course.

And if what you say about optonline.net is true, then I'll also give them an
"atta boy" for doing it (but not the way they handled it). That's a very
familiar domain in my world as an identified spam source. I'll probably get
a benefit I can measure, at least until the bad guys find another ISP who
hasn't done it yet.

> Now I have a large number of clients screaming and blaming MY
> company [at
> least I can point them to the
> Place where optimum.net posted the policy AFTER the fact.

Well, if I had a dollar for every time we got blamed for another ISP's
activities (or that of the client themselves), I wouldn't be writing this
from my desk at work. I feel your pain, but it's part of the job.

> I am not looking to change any opinions. I simply ask where
> there is a
> Valid technical benefit of blocking an outboust connection
> based solely on
> the port number. If a specific IP is "doing bad things" on a
> port, then
> block that port, Heck even block the whole IP!

That's even less effective!

Given that most ISPs are moving to dynamic addressing, that's even more of
an inconvenience to the customer. Give them a consistent limitation (like
blocking outbound 25) and the customers can wrap their ears around it, and
eventually adapt. Make it random (which is what IP blocking is in the
customer's perspective, because they get what they get invisibly) and
they'll flail.

By example, I had this problem recently with my next door neighbor: My
company provides web, domain, and mail service for her (a "friends and
family" deal). Recently, she tried to send some email, and our MTA blocked
it because the IP address she was using (SBC ADSL/dynamic) was on the
SpamHaus SBL/XBL. She's not a spammer, for sure, and she had no worms or
virii. But, apparently some other person who had been temporarily assigned
that IP address perhaps 30 minutes, two hours, or even two days before
wasn't as clean and someone put the address on the list. She had to call
SBC and ask that they submit a request for removal from that list (guess how
well that call went?). Ultimately, I reconfigured my MTA so that anyone who
successfully authenticates POP3 will not be screened through the SBL. It
opens a small hole that I have to manage, but the kind of customer I deal
with is highly unlikely to spam.

The use of dynamic addressing also means that the source can move faster
than you can block it. In fact, the real, identifiable source is the
destination port, not the source IP address, and hence the obvious choice.
I don't think a large ISP would choose to do this arbitrarily, and more, I
don't think a large number of the largest of them would all do it if they
weren't convinced that the benefit was worth the inconvenience they are
creating to their customers. I lurk on NANOG and learn a lot, and it's
clear to me that these guys talk and think through things extensively before
they start making systemic changes like that. The business side may forget
to tell you, but that's a different problem.

And if the inconvenience of the unauthenticated protocol being "hobbled"
forces people to move the authenticated protocols, I'm even more in favor of
it, because it's where we need to be. Helping a client get a stable, secure
email connection is time well spent in my opinion, for reasons that go
beyond the issue of spam.

Received on Thu Sep 02 2004 - 16:08:08 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:37:27 BST