RE: Abuse procedures... Reality Checks
It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run. Frank -----Original Message----- From: Frank Bulk Sent: Wednesday, April 11, 2007 5:10 PM To: 'nanog@merit.edu' Subject: Re: Abuse procedures... Reality Checks On Tue, Apr 10, 2007 at 07:44:59AM -0500, Frank Bulk wrote:
Comcast is known to emit lots of abuse -- are you blocking all their networks today?
All? No. But I shouldn't find it necessary to block ANY, and wouldn't, if Comcast wasn't so appallingly negligent. ( I'm blocking huge swaths of Comcast space from port 25. This shouldn't really surprise anyone; Comcast runs what may well be the most prolific spam-spewing network in the world. I saw attempts from 80,000+ distinct IP addresses during January 2007 alone -- to a *test* mail server. I should have seen zero. The mitigation techniques for making that happen are well-known, have been well-known for years, and can be implemented easily by any competent organization.) This, by the way, should not be taken as indicative of either what I've done in the past or may do in the future. Nor should it be taken as indicative of what decisions I've made in re other networks. ---Rsk
On Wed, 11 Apr 2007, Frank Bulk wrote:
It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run.
There are several large ISPs (millions of subscribers) that have done away with TCP/25 altogether. If you want to send email thru the ISPs own email system you have to use TCP/587 (SMTP AUTH). Yes, this takes committment and resources, but it's been done successfully. -- Mikael Abrahamsson email: swmike@swm.pp.se
Mikael Abrahamsson wrote:
On Wed, 11 Apr 2007, Frank Bulk wrote:
It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run.
There are several large ISPs (millions of subscribers) that have done away with TCP/25 altogether. If you want to send email thru the ISPs own email system you have to use TCP/587 (SMTP AUTH).
Yes, this takes committment and resources, but it's been done successfully.
You don't even need to do that. We just filter TCP/25 outbound and force people to use our mail servers that have sensible rate limiting etc. People who use alternate SMTP servers can fill in a simple web form to have them added to the exception list. We have about 50 on this list so far. -- Leigh Porter
Citando Frank Bulk <frnkblk@iname.com>: " but imagine how much work it
would save their abuse department in the long run"
I think that Comcast trouble isn't has much has the company's affected I keep the idea that the best is to rate limit incoming connections and a lot of filtering to prevent the spam flood and keep hardware costs Low. Placing the filtering on the user will make the user cry a lot against the ISP, change ISP and keep the problem. They really don't care about their computer. By using rate limit on incoming connections a lot of dynamic address's are blocked. "Additionally, upper management gives or takes away manpower many times without the understanding of what 'should' be done to be a good netizen and this defines how much effort can be spent on fixing the problems. " This is the biggest problem "upper management" really doesn't care and the time to use on this problems is not accounted. So controlling the number of messages that leave your SMTP server is a solution and PBL from spamhaus is a good thing ! SPF also good but will lead to complains ( tuff ) Blocking tcp destination port 25 to outside the network might work well on small and without concurrent ISP, on big ones I doubt it. ------------------------------------------------------------ Fernando Ribeiro ------------------------------------------------------------ ---------------------------------------------------------------- http://www.tvtel.pt - Tvtel Comunicações S.A.
On Thursday 12 April 2007 06:14, Fernando André wrote:
Citando Frank Bulk <frnkblk@iname.com>: " but imagine how much work it
would save their abuse department in the long run"
I think that Comcast trouble isn't has much has the company's affected I keep the idea that the best is to rate limit incoming connections and a lot of filtering to prevent the spam flood and keep hardware costs Low.
Placing the filtering on the user will make the user cry a lot against the ISP, change ISP and keep the problem. They really don't care about their computer.
Agreed - 90-98% of end users could care less about their computer security, no matter who makes them look at the problem, they just "want to chat with aunt {lilly|mary|other} in God knows where" or to "close that business deal in New York", They don't want to bother with ports, IP, firewalls, etc, and I don't think that will change easily. And as said previously, the person will ignore their ISP and cancel and move to another SP if the ISP hassles them with blocking their email, stopping certain apps, etc. This isn't only a spam problem. it's also a problem with personal machines getting botnetted, virus'd, trojan'd over and over and over again. Why? There's simply no end-user accountability.
By using rate limit on incoming connections a lot of dynamic address's are blocked.
"Additionally, upper management gives or takes away manpower many times without the understanding of what 'should' be done to be a good netizen and this defines how much effort can be spent on fixing the problems. "
This is the biggest problem "upper management" really doesn't care and the time to use on this problems is not accounted.
Agreed again - Upper management business-types that are not involved in the actual operations of their businesses are most of the time not clueful enough to realize the problems, no matter how many times people explain it to them, they simply only see if it's making them money.
So controlling the number of messages that leave your SMTP server is a solution and PBL from spamhaus is a good thing ! SPF also good but will lead to complains ( tuff )
Blocking tcp destination port 25 to outside the network might work well on small and without concurrent ISP, on big ones I doubt it.
------------------------------------------------------------ Fernando Ribeiro ------------------------------------------------------------
---------------------------------------------------------------- http://www.tvtel.pt - Tvtel Comunicações S.A.
Last post for me on this thread... Dirty Networking 101 So the other morning I found a contact for a company who'll for now remain unamed, this contact is on this group...Sent them yet another message (3 this week): <new message> To whom it may concern, One of my servers has been heavily under attack for the past 24 hours from your IP space. There were 10726 attempts to log into my VoIP server within the last 24 hours. Please sanitize this machine from your network. Attached is the logfile. </new message> 10726 attacks in a variety of forms. Why should I NOT ban this network and its clients from reaching my networks. Can someone please help me understand the logic of being called something akin to a crybaby, spoiled sport, unfair admin since I am now going to block their /17? On to semi-relevant news... For those who care: Support Intelligence analyzed 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting viruses ... 17 of the 100 networks listed are from ARIN. Six of the seventeen are from Time Warner. 5 are from Comcast, 2 are from Charter. http://blog.support-intelligence.com/2007/04/doa-week-14-2007.html That's their record. I now have 52 hosts dumping out syslog records and can name about 30+ networks of which some of the engineers from them are on this list. So what is their left to do when points of contact fail miserably. Maybe I will take a crack at writing a document based on the amount of waste whether its bandwidth, time or money in blocking venomous hosts from my subnets. Costs, benefits, experience, pros, cons. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
Anybody from AOL on this list? Could you please send me an email offlist? I need some help. Thanks. Vish
Anybody from AOL on this list? Could you please send me an email offlist? I need some help.
Have you pursued every avenue of contact listed at: <http://postmaster.info.aol.com/>? I've found them to be GENERALLY pretty responsive on those channels, as have many others. --chuck
I found the following website to be very helpful when dealing with AOL email issues: http://postmaster.info.aol.com/ <http://postmaster.info.aol.com/> Hope that helps, Adam Stasiniewicz ________________________________ From: owner-nanog@merit.edu on behalf of Vish Yelsangikar Sent: Fri 4/13/2007 1:16 PM To: NANOG list Subject: AOL Postmaster? Anybody from AOL on this list? Could you please send me an email offlist? I need some help. Thanks. Vish
participants (9)
-
chuck goolsbee
-
Fernando André
-
Frank Bulk
-
J. Oquendo
-
Kradorex Xeron
-
Leigh Porter
-
Mikael Abrahamsson
-
Stasiniewicz, Adam
-
Vish Yelsangikar