On Mon, 23 Jun 2003, Paul Vixie wrote:
chris@UU.NET ("Christopher L. Morrow") writes:
ISP's could block all ports and save everyone the hassle of having an Internet.... (I am just kidding of course)
Two interesting points though:
1) Spammers adapt 2) default insecure OS installs cause problems
3) thoughtless reactionism at isp's does little good and sometimes some harm.
indeed it does... breaking the network with acls often gets me in trouble :) Really, there are always better solutions than mass filtering something like this.
take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound at&t's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless (except that chris morrow happens to work there :-)) using at&t IP source addresses. i guess they multihomed their host and bind()'d the outbound socket to one interface even while making sure the routing used a different interface. high rocket science? NOT.
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/<other-unnamed-provider> with logs and such? :)
so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do.
Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn!