Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote:
Unless your connection is permenent, with a permanent static ip, you should not be *directly* sending out mail. The very nature of dynamic ips implies that even if a single subscriber gets infected, you have no guarantee YOU won't wind up with that ip next.
As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple. Now, how do we make the world understand this? -- Mikael Abrahamsson email: swmike@swm.pp.se
On Tue, 2004-09-21 at 13:01, Mikael Abrahamsson wrote:
On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote:
Unless your connection is permenent, with a permanent static ip, you should not be *directly* sending out mail. The very nature of dynamic ips implies that even if a single subscriber gets infected, you have no guarantee YOU won't wind up with that ip next.
As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple.
Now, how do we make the world understand this?
When this customer discontinues services, would you want to reuse this address? If your network was (ab)used sending spam, then the next customer may find this address unusable and you would need to contact a few hundred blacklists in an attempt to rehabilitate the address. As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended. There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt -Doug
On Tue, 21 Sep 2004, Douglas Otis wrote:
As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended.
There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt
We want to receive abuse email and act on them, doesn't matter if customers are infected and sending spam or if they're infected and trying to remote-exploit web-servers or windows computers or what have you. We've been considering using netflow to detect end-users doing a lot of port 25 activity towards a lot of random destinations, I find this much more net-friendly than to just block 25 and force them to use our smarthost (also stops our smarthost from being blacklisted by some overzealous blacklist-admins). Starting to block just means you will have to block more and more all the time. Port 135-139 and 445 will be practially unusable on the network for a long time (some users complain about this). I was under the impression that most blacklists would have a time-out period when there was no more activity from this certain IP, it would be removed from the blacklist. Is this not the case? Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds? -- Mikael Abrahamsson email: swmike@swm.pp.se
On Tue, 21 Sep 2004 23:22:42 +0200, Mikael Abrahamsson said:
Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds?
Just because one organization with clue provides a BGP feed with the current list of bozon addresses doesn't mean there aren't still several hundred sites that are still blocking 69/8 as a bogon. Similarly for blacklists - lots of sites have their own personal list of places they really don't want to hear from.
On Tue, 2004-09-21 at 14:22, Mikael Abrahamsson wrote:
On Tue, 21 Sep 2004, Douglas Otis wrote:
As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended.
There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt
We want to receive abuse email and act on them, doesn't matter if customers are infected and sending spam or if they're infected and trying to remote-exploit web-servers or windows computers or what have you. We've been considering using netflow to detect end-users doing a lot of port 25 activity towards a lot of random destinations, I find this much more net-friendly than to just block 25 and force them to use our smarthost (also stops our smarthost from being blacklisted by some overzealous blacklist-admins).
Cisco offers a Content Services Gateway that will allow audit of SMTP error messages as example. Just looking at user SMTP traffic will not always be a good indication something nefarious is happening. The Wack-a-Mole game that results may clobber your good customers perhaps once too often. Tracking the reply codes for things like 550,1,3 and filter for results greater than 50 or so should alert you to something bad is happening, or that they are having a hard time typing addresses. : )
Starting to block just means you will have to block more and more all the time. Port 135-139 and 445 will be practially unusable on the network for a long time (some users complain about this).
I was under the impression that most blacklists would have a time-out period when there was no more activity from this certain IP, it would be removed from the blacklist. Is this not the case?
Hard to know how the average black-listing service ages their data. Some IP addresses cycle over large periods of time. Some segments were so bad, a few providers enter them using BGP into a router to conserve network resources. That entry may live for decades and be very difficult to correct.
Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds?
I was not recommending that you post to blacklisting services, but rather you will end up dealing with these services in an effort to allow the address to once again reliably send mail should your customer expect that ability. -Doug
participants (3)
-
Douglas Otis
-
Mikael Abrahamsson
-
Valdis.Kletnieks@vt.edu