-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Friday, September 03, 2010 1:10 PM To: John Levine Cc: nanog@nanog.org Subject: Re: ISP port blocking practice
Sent from my iPad
COOL!
On Sep 3, 2010, at 10:10 PM, John Levine <johnl@iecc.com> wrote:
Really? So, since so many ISPs are blocking port 25, there's lots
less spam
hitting our networks?
It's been extremely effective in blocking spam sent by spambots on large ISPs. It's not a magic anti-spam bullet. (If you know one, please let us know.)
That simply hasn't been my experience. I still get lots of spam from booted hosts in large provider networks, and yes, that includes many that block 25. As near as I can tell, 25 blocking is not affecting spammers at all, just legitimate users.
There was a time when it was effective, but the spammers have long since adapted. Now we are only breaking the Internet. We are no ,onger accomplishing anything ireful. It's pure momentum.
So.... How are you getting messages from a user who is sending a message from a network with port 25 blocked? If there is some kind of alternate port usage, or tunneling going on, then there would have been no way to stop it with a filter without doing even more filtering. This additional filtering would likely increase the number of blocked port numbers. This would start breaking other valid protocols. Since you have no suggestions on how to actually handle this issue, I would suggest that you stop criticizing the ones trying to solve the problem for the excessive majority (likely < 99.999%) of users. It is OK to represent the needs of a minority, but the average user doesn't even notice these types of filters and it prevents (largely) ISPs from spending time removing customer IP addresses from RBLs and other filtering mechanisms.
workaround. Since, like many of us, I use a lot of transient
having to reconfigure for each unique set of brokenness is actually wasting more of my time than the spam this brokenness was alleged to
networks, prevent.
Is there some reason you aren't able to configure your computers to
use
tunnels or SUBMIT? They seem to work pretty well for other people.
Many of the transient networks I deal with block 22, 25, 465, and 587. They also often block protocols 41 and 43 or do not provide a public address, rendering those protocols unusable anyway.
Yes, I am now running ssh and s,tp processes on ports 80 and 443 to get around this, but, that consumes an extra address for something that should be handled by a port number.
I'm sorry that you have/had to deal with a provider doing this. I would call it bad form to block ports used for completely valid reasons (not abused services) and would stand by you on those issues.
Personally, i'd rather use port numbers for l4 uniqueness rather than IP Addresses.
With you here brother. :)
Owen
BTW... In a previous post you mentioned "Net Neutrality". Port 25 blocking has NOTHING to do with "Net Neutrality" as long as you block port 25 in a non-partisan manner. If I block port 25 to provider X and not to provider Y for any reason other than abuse/security/network stability specific reasons (meaning to be financially or ethically unreasonable), then it may be considered not being "neutral" in the terms of "Net Neutrality". I would NEVER do such a thing. - Brian CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.