Port 25 filters - how many here deploy them bidirectionally?
.. and if it has been tried, have you noticed any issues with this? Please consider the situation of net abuse with the source address being an infected PCs on a dialup pool that has port 25 filtering enabled. This sequence below is summarized from a post by an ISP admin on another list that I read. 1) SYN - Worm emails / spam goes out from another provider, with the source address spoofed to be the IP of a trojaned PC 2) ACK - Receiving network sends an ACK back to the forged source IP, and the trojan on that IP proxies this back to the actual spam source. 3) SYNACK - sent by the actual spam source to your network. Applying port 25 filters both ways (inbound and outbound to your dialup pool, instead of just outbound port 25 filtering) would help in such a situation. So, a quick poll .. how many ISPs here have noticed this behavior, and applied bidirectional filters? And if they've applied port 25 filters bidirectionally, have they noticed any problems with this setup? This ISP's post is only the second I've seen noting such behavior in a few months, the first being a nanog post in Aug 2004 by Hank Nussbacher - http://www.cctec.com/maillists/nanog/current/msg03171.html Two posts about this in several months - but still, enough of a trend for me to wonder how widespread this behavior is. --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote:
.. and if it has been tried, have you noticed any issues with this?
We have been doing bidirectional port 25 filtering for sometime now. We have not seen this behavior, nor anything like it. -snip-
Two posts about this in several months - but still, enough of a trend for me to wonder how widespread this behavior is.
If it works, it will become very wide spread before long. This may or may not be related, but we have seen a sharp decline in spam attempts from our dial up pool since Sept 2004. Bob Martin
Sunday, January 9, 2005, 4:17:27 PM, Bob Martin wrote:
This may or may not be related, but we have seen a sharp decline in spam attempts from our dial up pool since Sept 2004.
Intersting. with the spam on the increase, do you think spammers are 'ignoring' your customer base? or is there other factors involved ? -- Best regards, Subhi S Hashwa mailto:subhi@thebigboss.com When everything is heading your way, you're in the wrong lane.
We really don't know what to make of it. Either the spammers have modified their code so that they don't waste their time trying to spew from blocked machines, or we've been very lucky of late. I hope it's the former, but suspect it's the latter. Bob Subhi S Hashwa wrote:
Sunday, January 9, 2005, 4:17:27 PM, Bob Martin wrote:
This may or may not be related, but we have seen a sharp decline in spam attempts from our dial up pool since Sept 2004.
Intersting. with the spam on the increase, do you think spammers are 'ignoring' your customer base? or is there other factors involved ?
After this post, we did some real digging. The timing of the ever lower levels of spew from our dial up pool coincides with the blocking of the MS NetBios ports, and the implementation of full outbound email scanning (both AV and spam). By full scanning, I mean we treat all email as untrusted, regardles of where it originates. We've evidently made it harder to turn the boxen into zombies, and time and entropy have started to clean up the ones that where there. b Bob Martin wrote:
We really don't know what to make of it.
Either the spammers have modified their code so that they don't waste their time trying to spew from blocked machines, or we've been very lucky of late.
I hope it's the former, but suspect it's the latter.
Bob
Subhi S Hashwa wrote:
Sunday, January 9, 2005, 4:17:27 PM, Bob Martin wrote:
This may or may not be related, but we have seen a sharp decline in spam attempts from our dial up pool since Sept 2004.
Intersting. with the spam on the increase, do you think spammers are 'ignoring' your customer base? or is there other factors involved ?
On Sun, 9 Jan 2005, Suresh Ramasubramanian wrote:
.. and if it has been tried, have you noticed any issues with this?
Please consider the situation of net abuse with the source address being an infected PCs on a dialup pool that has port 25 filtering enabled.
...description of 'fantasy mail' removed...
So, a quick poll .. how many ISPs here have noticed this behavior, and applied bidirectional filters? And if they've applied port 25 filters bidirectionally, have they noticed any problems with this setup?
I believe reseller contracts have included this for over 2 years now, John StClair's efforts to get these in place are the primary reason they exist for our customers.
This ISP's post is only the second I've seen noting such behavior in a few months, the first being a nanog post in Aug 2004 by Hank Nussbacher - http://www.cctec.com/maillists/nanog/current/msg03171.html
We'd first seen this behaviour over 2 years ago... quite a bit actually over that time as the filters had been put into place. -Chris
Please consider the situation of net abuse with the source address being an infected PCs on a dialup pool that has port 25 filtering enabled. [ triangular routing ]
Back when Ernesto Haberli was active, this was his trademark technique. He'd burn through large numbers of dialup accounts, but hide the address of his high-speed connection. At the time he left the business a few years ago it worked pretty well and I gather he left because he'd run out of high speed ISPs to sign up with. I'd be interested to know if triangular routing is used by particular people now, or is it just another trick thrown into the mix along with zombie proxies and such. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY http://www.taugh.com
On Jan 9, 2005, at 12:20 PM, John Levine wrote:
Please consider the situation of net abuse with the source address being an infected PCs on a dialup pool that has port 25 filtering enabled. [ triangular routing ]
Back when Ernesto Haberli was active, this was his trademark technique. He'd burn through large numbers of dialup accounts, but hide the address of his high-speed connection.
At the time he left the business a few years ago it worked pretty well and I gather he left because he'd run out of high speed ISPs to sign up with. I'd be interested to know if triangular routing is used by particular people now, or is it just another trick thrown into the mix along with zombie proxies and such.
Imagine all those "high speed ISPs" who would never have been burned if they just followed BCPs and source filtered their customer base. Especially since broadband ISPs should be able to source filter easier than anyone, having fewer "issues" like multi-homed customers. (Ignoring the discuss of whether that is really an issue or not.) But hey, who wants to actually make the network work better these days anyway? -- TTFN, patrick
On Sun, 9 Jan 2005, Suresh Ramasubramanian wrote:
So, a quick poll .. how many ISPs here have noticed this behavior, and applied bidirectional filters? And if they've applied port 25 filters bidirectionally, have they noticed any problems with this setup?
Have you looked at the following :-) http://www.outblaze.com/main.php?id=antispam&page=anti_infoadmin
On Sun, 9 Jan 2005 14:51:31 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
On Sun, 9 Jan 2005, Suresh Ramasubramanian wrote:
So, a quick poll .. how many ISPs here have noticed this behavior, and applied bidirectional filters? And if they've applied port 25 filters bidirectionally, have they noticed any problems with this setup?
Have you looked at the following :-)
http://www.outblaze.com/main.php?id=antispam&page=anti_infoadmin
I wrote some part of that doc (though the part about filtering you quoted seems to have been written by a colleague) - you'll find docs all over the 'net, that have a lot more detail. Finding out how many ISPs are doing this is a rather different thing from finding out how many docs out there are recommending it. Especially as I'm seeing a marked uptick in this sort of behavior, from ISPs that I thought normally do filter port 25. As John points out earlier there were cases of specific people doing this, though now I think we're seeing trojans do it - a rather more dangerous development. --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sun, 9 Jan 2005, Suresh Ramasubramanian wrote:
Applying port 25 filters both ways (inbound and outbound to your dialup pool, instead of just outbound port 25 filtering) would help in such a situation.
It's good to clarify that this "bidirectional" filtering does not mean filtering inbound to port 25 on the dialup box, but rather filtering inbound *FROM* port 25 to the dialup box on any port (after all, you want to block the 3WHS SYNACK and the subsequent in-stream ACKs). This is a common, but critical, mistake. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
On Sun, Jan 09, 2005 at 07:55:17PM +0530, Suresh Ramasubramanian wrote:
1) SYN - Worm emails / spam goes out from another provider, with the source address spoofed to be the IP of a trojaned PC
2) ACK - Receiving network sends an ACK back to the forged source IP, and the trojan on that IP proxies this back to the actual spam source.
3) SYNACK - sent by the actual spam source to your network.
Only if you are only filtering SYNs. If you block ALL port 25 traffic, this won't work.
Applying port 25 filters both ways (inbound and outbound to your dialup pool, instead of just outbound port 25 filtering) would help in such a situation.
Inbound 25 filtering has nothing to do with the situation listed above. Or are you using inbound and outbound to review to packet flow on the interface rather than session flow? Must be confusing Cisco terms with actual networking again ;-) -- Joe Rhett Senior Geek Meer.net
On Tue, 11 Jan 2005, Joe Rhett wrote:
Applying port 25 filters both ways (inbound and outbound to your dialup pool, instead of just outbound port 25 filtering) would help in such a situation.
Inbound 25 filtering has nothing to do with the situation listed above.
No, but inbound filtering *from* port 25 (to any port) does address the problem, as I mentioned earlier in this thread. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
participants (9)
-
Bob Martin -
Christopher L. Morrow -
Joe Rhett -
John Levine -
Patrick W Gilmore -
Sean Donelan -
Subhi S Hashwa -
Suresh Ramasubramanian -
Todd Vierling