Paul,
What this means, though, is that third party relays are no longer being given so much mail to deliver (by any given spammer, that is) that they come to us (the anti-spam crowd) screaming for anti-relay solutions such as Eric Allman's excellent http://www.sendmail.org/antispam.html logic. Oh sure, the next day or the next week the relay will be abused again, but now that it no longer brings the relay (and its upstream link) to its knees, the operators of these relays are feeling considerably less natural pressure to turn off third party relaying. Microsoft's Exchange 5.0 adds relay support and the default is ON.
Well I think you hit the nail on the head with this paragraph. Whilst Microsoft and the standard sendmail distribution ship with realying on by default, 95% of sites will probably relay. If this was changed (yup, makes installation harder), 95% of sites wouldn't have relaying on by default. Operation content follows: paul@vix.com said:
But be aware that blackholing people, especially on my say so, will lead you to get complaints from your users about unreachability, and complaints from other ISP's users about unreachability, and that while these are probably
One of the big problems we found is that if you naively blackhole a route, you only stop backtraffic to that destination. Some sites were sending us so many SYN opens, that as our SYNACKs never got there, we ended up turning a mild source of SPAM into a powerful SYN flood attack. The solution is to (a) ensure you are running kernels capable of handling this reasonably well, and (b) (more important) ensure that your blackholing router returns ICMP unreachable for these nets, not simply swallows the packet. For various reasons this is difficult to do with Cisco's without unpleasant things like telnet <blackholed address> giving you a logon onto the router. I'll publish the fix when we have it honed. (The unreachable should make the kernel drop the record of the half open connection). One particular site (something at AT&T worldnet - no compulsion about naming them as this was so ridiculous) was sending us one open every minute *per mail message queued* (i.e. they were running with -q1m). This is seriously clueless. We spent the best part of a half a day's engineering time trying to get through to a clueful person there. Evenetually we got through to the person allegedly running the server who had no idea how or why it had been set up like that, but didn't want to change it, or disable relaying. So now they are in the appropriate access list deny in the relevant border router even for incoming packets. No complaints yet. Alex Bligh Xara Networks