Re: Misguided SPAM Filtering techniques
On Oct 23, 2007, at 1:48 PM, Christopher Morrow wrote:
On 10/23/07, Jack Bates <jbates@brightok.net> wrote:
I really don't get it. While I understand with tcp/25 blocking, there is absolutely no reason to block tcp/587. If credential's are being hijacked, it is
morrowc$ telnet mail.ops-netman.net 26 Trying 71.246.230.124... Connected to mail.ops-netman.net. Escape character is '^]'. 220 A host is a host from coast to coast... Hosty-host ESMTP...
why don't people just run a new version of their MTA on a port not-filtered?? The simple fact is that port-25 filtering does help, it does also seem to piss off some portion of 'smart folks' (power users, whatever you choose to call them). So, being smart, just work your box(es) such that this isn't a problem for you?
I want to make it clear... I don't mind people filtering either 25 or 587, but, blocking both is highly unacceptable. Even more unacceptable in my opinion is hijacking connections to either off to your own man-in-the-middle attack server. Owen
I want to make it clear... I don't mind people filtering either 25 or 587, but, blocking both is highly unacceptable.
I can't see any operational reason to block 587.
Even more unacceptable in my opinion is hijacking connections to either off to your own man-in-the-middle attack server.
We had a client whose RFP vanished into thin air because of that-- he sent it from a hotel that practiced port 25 hijacking and had had their IP blacklisted for spewing much spam and viruses. So our server rejected the message, and when it tried to send the NDN to him *his* server rejected the NDN for the same reason. Fortunately he called the next day with some details he'd omitted.... I recommended he go back with an army of Huns and raze the hotel, but he settled for a nasty letter and using 587/TLS in future. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
Dave Pooser wrote:
We had a client whose RFP vanished into thin air because of that-- he sent it from a hotel that practiced port 25 hijacking and had had their IP blacklisted for spewing much spam and viruses. So our server rejected the message, and when it tried to send the NDN to him *his* server rejected the NDN for the same reason. Fortunately he called the next day with some details he'd omitted....
I recommended he go back with an army of Huns and raze the hotel, but he settled for a nasty letter and using 587/TLS in future.
You should have used the oppurtunity to educate your customer. Email is a best-effort, no receipt service. It is simply not appropriate to use for business-critical communication without some kind of confirmation of receipt. The hotel didn't really do the wrong thing. It took the email and made a best effort to deliver it. When it failed, it made a best effort to alert the sender. That is what email is supposed to be like. Obviously, they've had a spam problem. So just passing port 25 unmolested would not be right. Blocking it is not a very good solution either because people who are not sophisticated will just be unable to send mail. People who are sophisticated won't be using port 25 outbound from odd net locations anyway. You should blame whoever decided not to accept *any* email from the hotel just because *some* of the email was spam. That person knew or should have know that some of that email might be business critical. Hmm, that was *YOU*. Perhaps you are using a misguided spam filtering technique? How many RFPs are you willing to lose to reduce spam? DS
You should have used the oppurtunity to educate your customer. Email is a best-effort, no receipt service. It is simply not appropriate to use for business-critical communication without some kind of confirmation of receipt.
That sounds like a statement from the dawn of the ARPAnet. Email is a best effort service, sure. In an ideal world, people would not use it for business-critical communication. But that train left the station a decade ago; if you design your network around the assumption that email is just going to spontaneously vanish sometimes and that's OK, you'll have lower customer satisfaction ratings than chlamydia does.
The hotel didn't really do the wrong thing.
Yes it did. It silently hijacked traffic directed for his email server and directed it to an unrelated server. That is never, ever acceptable behavior for a network. Full stop. If they *insist* on hijacking a better response would be to point all port 25 traffic except relay.cluefreehotel.dom to an internal address with an SMTP server that did nothing but issue a 550 with a Web page link that would show the user how to configure Outlook/ OE/ Thunderbird/ Mail.app to send via the hotel's relay server. That way the user knows something bad is happening. The problem is then the hotel has to deal with annoyed users, whereas with the hotel's silent hijacking solution many users don't know enough to be annoyed until after they've left, and may be annoyed at a third party rather than the hotel. Win for the hotel, lose for everybody else.
Blocking it is not a very good solution either because people who are not sophisticated will just be unable to send mail.
Blocking means people who are not sophisticated will be unable to send email and will *know* that they are unable to send email. Silently hijacking means those people will be unable to send email to much (though not all) of the Internet with no idea which messages are successful and which aren't.
You should blame whoever decided not to accept *any* email from the hotel just because *some* of the email was spam. That person knew or should have know that some of that email might be business critical. Hmm, that was *YOU*.
Yep, and my company's customer. Each of us had decided, independently, that a host that appeared on a Spamhaus.org blacklist was not allowed to talk to our mail servers. Both of us operated on the assumption that there was not a host in the middle silently hijacking packets. Those assumptions were wrong in this case, but not IMO unreasonable. On the bright side, the customer has now learned to do what my staff already do, which is use an alternate port with encryption, use VPN as a fallback plan, and failing that go somewhere else for Internet access. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
On 10/23/07, Owen DeLong <owen@delong.com> wrote:
I want to make it clear... I don't mind people filtering either 25 or 587, but, blocking both is highly unacceptable. Even more unacceptable in my opinion is hijacking connections to either off to your own man-in-the-middle attack server.
Owen, You must have been irked by the airport wireless in ABQ then. I couldn't figure out why my ssh connection was failing until I checked the DNS and relized that even after clicking "free access" button in a web browser they returned 192.168.1.1 for almost every name requested. :( I can understand blocking outbound tcp 25. I wish more folks did it. Blocking 587 makes no sense. The whole point of 587 is that its the authenticated mail submission port. Its of very limited use to spammers. Guess we'll have to move it to 443 too. ;) Regards, Bill -- William D. Herrin herrin@dirtside.com bill@herrin.us 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 10/24/07, William Herrin <herrin-nanog@dirtside.com> wrote:
You must have been irked by the airport wireless in ABQ then. I couldn't figure out why my ssh connection was failing until I checked the DNS and relized that even after clicking "free access" button in a web browser they returned 192.168.1.1 for almost every name requested. :(
I will trade your ABQ wireless for almost anything that uses Nomadix's hotspot product .. the one that has a login page on http://1.1.1.1 - even more broken dns jail, returns 0.0.0.0 if I remember correctly for random queries till their upstream dns resolver actually decides to go update its cache. Probably because I have a v6 aware resolver + some of the hosts I accessed were dual v4/v6 or something, not sure. I got a really well filled /etc/hosts file for trips through paris airport (where the paris airport hilton charges 25 EUR a day for wifi, and it is 9 EUR a hour at the airport, ugh) srs
participants (5)
-
Dave Pooser
-
David Schwartz
-
Owen DeLong
-
Suresh Ramasubramanian
-
William Herrin