while i'm on the subject of filtering, here's today's list of spammers
if you're listed and think you shouldn't be, give me a call (you can't send me mail). and yes, these same thieves are also prevented from reaching the F.ROOT-SERVERS.NET host, but lack of reachability to one NS doesn't break their service. why in the world are we discussing this on NANOG? # general spam 204.141.123 masklen 24 interface lo0 reject; # Cybernex 208.1.117 masklen 24 interface lo0 reject; # Intgrtd Med. Promtns 208.8.32 masklen 24 interface lo0 reject; # Idea Concepts 207.76.82 masklen 24 interface lo0 reject; # hardchannel 206.222.107.192 masklen 29 interface lo0 reject; # telysis 207.86.199 masklen 24 interface lo0 reject; # onlinebiz / covesoft 207.217.56.116 masklen 32 interface lo0 reject; # mailloop.com 38.220.191 masklen 24 interface lo0 reject; # quantumcom 205.136.220.60 masklen 32 interface lo0 reject; # shadowgrp (IDCI) 204.183.199.231 masklen 32 interface lo0 reject; # xshadowx (uServe?) # softcell spam 199.250.187.72 masklen 32 interface lo0 reject; # www CNAME/A # cyberpromo spam 207.120.161.73 masklen 32 interface lo0 reject; # www.cpmall.com 207.124.161 masklen 24 interface lo0 reject; # NS8, NS9 (IDCI) 205.199.212 masklen 24 interface lo0 reject; # NS5 (AGIS) 208.5.0.0 masklen 20 interface lo0 reject; # NS10 (Crawford) 206.27.86.210 masklen 32 interface lo0 reject; # NS7 (ACUN)
On Tue, 18 Feb 1997, Paul A Vixie wrote:
if you're listed and think you shouldn't be, give me a call (you can't send me mail). and yes, these same thieves are also prevented from reaching the F.ROOT-SERVERS.NET host, but lack of reachability to one NS doesn't break their service.
It's still childish and unfair. And if everyone does this, then sooner or later someone's going to get blocked because they said something nasty about the root server operator's mother or something equally trite. I don't want to cry "free speech" but it will eventually become that kind of issue. I also fail to see how blocking them from one server restricts spammers in any way. Explain that one to me.
why in the world are we discussing this on NANOG?
I've no idea. Perhaps you should have sent it to the individuals who are blocked instead (esp. considering most of them probably don't subscribe), or just not at all. I don't really care about spam domains, unless they spam me - in which case I procmail them into oblivion and that's that. This "fight spam" campaign is only serving to reinforce the belief that mass marketing via the net is working. If everyone just ignored the mail, the problem would go away. shag Judd Bourgeois PGP key ID 0xEDC21CA1 shagboy@world.std.com 25DDE4AF C5AFEF51 6905DC77 360F0387 To all my friends - It's not the end The earth has not swallowed me yet - 311, "Freak Out"
if you're listed and think you shouldn't be, give me a call (you can't send me mail). and yes, these same thieves are also prevented from reaching the F.ROOT-SERVERS.NET host, but lack of reachability to one NS doesn't break their service.
It's still childish and unfair. And if everyone does this, then sooner or later someone's going to get blocked because they said something nasty about the root server operator's mother or something equally trite. I don't want to cry "free speech" but it will eventually become that kind of issue.
The people who have signed up to receive my blackhole feed in real time all pretty much trust me to restrict my additions to things which violate the cooperative economics underlying the 'net. I take it that you weren't at the San Francisco NANOG so you didn't get to hear my talk on this subject. I will not have network resources I pay for, used to spam me, or to spam others. I have the right of use and/or disposal of my own property. People who spam are committing "theft of service" and my Ip reachability matrix is better off without such people in it.
I also fail to see how blocking them from one server restricts spammers in any way. Explain that one to me.
It's not one server. It's all of the folks who have signed up to receive my real time BGP4 feed. There are two continentwide ISPs so far, hopefully with more to come. (There are also smaller folks who by and large just want the feed to protect their own servers rather than their transit customers, but that's fine by me.)
why in the world are we discussing this on NANOG?
I've no idea. Perhaps you should have sent it to the individuals who are blocked instead (esp. considering most of them probably don't subscribe), or just not at all.
I can't reach them directly, relaying through the NANOG listserv is the best way to let folks know that they're in the black hole. Three people removed their spammer customers and asked me to remove them from the list last time I published it, so my real plan -- that of provider education -- is working.
I don't really care about spam domains, unless they spam me - in which case I procmail them into oblivion and that's that.
No, it isn't. You have guests and other users. If you have IP customers, then they have guests and other online users. By accepting spam you allow your resources (which you offer for cooperative reasons) to be used in a noncooperative way. If you have downstream customers you are subjecting them to the same abuse. Filtering by domain names doesn't work. Filtering by email source address doesn't work. Complaining, by itself, doesn't work. Asking to be removed from the spammer's spam list VERY DEFINITELY doesn't work. Removing people from the cooperative portion of the Internet works fine.
This "fight spam" campaign is only serving to reinforce the belief that mass marketing via the net is working. If everyone just ignored the mail, the problem would go away.
If those of us who "fight spam" laid back and did nothing, you and every other online Internet user would be getting ten spams an hour by this time. It took a legal judgement against Sanford Wallace to get him to stop spamming all of AOL and Compuserve. Jeff Slaton finds it hard to get a new internet connection every time he soils a new nest. The Green Card Lawyers are out of business, they made a little money on the book but not from advertising. "Krazy Kevin" was investigated by the U.S. Postal inspectors and I havn't seen a magazine scam for a few months now. I won't stop until it's socially unacceptable. When 800 phone sex people move offshore I block entire Pacific islands until they lose even those connections. The BGP peerage pressures are trending the Internet toward settlements, which is not a cooperative economic system. In such a system it will be hard as nails to get a new ISP started since the people you want to peer with won't want you as anything but a customer. However, the one side benefit will be that spamming will cost as much, or more, than postal system advertising. I would like to solve the problem with social pressure, but sooner or later it will be solved by making a new noncooperative economic underpinning. Here's TODAY's list of spammers: # general spam 204.141.123 masklen 24 interface lo0 reject; # Cybernex 208.1.117 masklen 24 interface lo0 reject; # Intgrtd Med. Promtns 208.8.32 masklen 24 interface lo0 reject; # Idea Concepts 207.76.82 masklen 24 interface lo0 reject; # hardchannel 206.222.107.192 masklen 29 interface lo0 reject; # telysis 207.217.56.116 masklen 32 interface lo0 reject; # mailloop.com 38.220.191 masklen 24 interface lo0 reject; # quantumcom 205.136.220.60 masklen 32 interface lo0 reject; # shadowgrp (IDCI) 204.183.199.231 masklen 32 interface lo0 reject; # xshadowx (uServe?) # cyberpromo spam 207.120.161.73 masklen 32 interface lo0 reject; # www.cpmall.com 207.124.161 masklen 24 interface lo0 reject; # NS8, NS9 (IDCI) 205.199.212 masklen 24 interface lo0 reject; # NS5 (AGIS) 208.5.0.0 masklen 20 interface lo0 reject; # NS10 (Crawford) 206.27.86.210 masklen 32 interface lo0 reject; # NS7 (ACUN)
Filtering by domain names doesn't work. Filtering by email source address doesn't work. Complaining, by itself, doesn't work. Asking to be removed from the spammer's spam list VERY DEFINITELY doesn't work.
Filtering by connection to the SMTP port, based on source address, very definitely DOES work.
Removing people from the cooperative portion of the Internet works fine.
Overbroad and unnecessary.
If those of us who "fight spam" laid back and did nothing, you and every other online Internet user would be getting ten spams an hour by this time. It took a legal judgement against Sanford Wallace to get him to stop spamming all of AOL and Compuserve. Jeff Slaton finds it hard to get a new internet connection every time he soils a new nest.
And again, unnecessary and overbroad. Filtering at the SMTP receiver port is perfectly fine, it works, and it doesn't prevent other traffic.
The BGP peerage pressures are trending the Internet toward settlements, which is not a cooperative economic system. In such a system it will be hard as nails to get a new ISP started since the people you want to peer with won't want you as anything but a customer. However, the one side benefit will be that spamming will cost as much, or more, than postal system advertising. I would like to solve the problem with social pressure, but sooner or later it will be solved by making a new noncooperative economic underpinning.
CIDR and provider-based network numbering has already done that Paul, unless you like being tied to your upstream provider in perpetuity. Or, in the other case, you only like selling dynamic dial-up with no permanent addresses mapped to DNS names *anywhere* on your network or those of your customers. Those ISPs *ARE* a dying breed, if they're not already dead. Wholesale filtering sets an ugly precedent. If someone was sending SYN packets with random port numbers it would be one thing (and the only effective thing that could be done) but in this particular case it is neither necessary NOR, in my opinion, appropriate for a network which operates a *PUBLIC* resource. You speak of cooperative models on one hand, yet don't support those on the other (e.g. eDNS). The truth is evident when you start erecting full-blown packet filters, which are unnecessary, as a response to a personal affront. It took me 30 seconds to add Earthlink's POPs to my SPAM-blocker SMTP port reject list this morning. That has a near-zero impact on legitimate email delivery, but it stops cold any attempt to relay spam through our mailservers. That's a point-source response to the problem Paul. Try it on sometime. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Filtering by connection to the SMTP port, based on source address, very definitely DOES work.
Filtering packets based on source address makes Ciscos go way slow on every packet. Filtering based on destination address makes Ciscos go very fast on most packets and a little slower on SYN-ACKs.
Removing people from the cooperative portion of the Internet works fine.
Overbroad and unnecessary.
Sez you. I'd ordinarily expect you to love the idea of "if you don't play by my rules I will start my own Internet without you on it."
And again, unnecessary and overbroad. Filtering at the SMTP receiver port is perfectly fine, it works, and it doesn't prevent other traffic.
And, again, wrong. I want spammers to spend 75 seconds of TCP PCB time on me. By blackholing SYN-ACKs and not sending them ICMPs, they lose capacity that they could otherwise spend spamming other people. I call this "fighting dirty."
Wholesale filtering sets an ugly precedent. If someone was sending SYN packets with random port numbers it would be one thing (and the only effective thing that could be done) but in this particular case it is neither necessary NOR, in my opinion, appropriate for a network which operates a *PUBLIC* resource.
I operate a cooperative resource. I will not have it used against me. This is not negotiable. I pay for my part of the Internet and anyone who wants their traffic to traverse it has to make sure that I derive similar value, in the aggregate, to theirs when they send me traffic. If I buy something on a web site, buyer and seller both profit and I'm fine with that. But spamming uses my links, routers, disk drives and real human time -- 100% of the benefit accrues to the spammer, 0% to me.
You speak of cooperative models on one hand, yet don't support those on the other (e.g. eDNS). The truth is evident when you start erecting full-blown packet filters, which are unnecessary, as a response to a personal affront.
Actually it's not personal, it's economic. eDNS is piracy. Very different.
It took me 30 seconds to add Earthlink's POPs to my SPAM-blocker SMTP port reject list this morning. That has a near-zero impact on legitimate email delivery, but it stops cold any attempt to relay spam through our mailservers.
Yes, but now that I've got the eBGP feed working I'm starting to do real time spam reporting/detection that will cause third party unintended relays to be disabled while a spammer is still trying to use them. Not everyone wants to spend that 30 seconds, and if we don't make spamming even less profitable than it is now, you'll be spending that 30 seconds 15 times per hour, 24x7.
That's a point-source response to the problem Paul. Try it on sometime.
I prefer http://www.sendmail.org/antispam/ as far as that goes. But the problem isn't limited to a point, there are a LOT of people who want the same protection I work so hard to give myself, and I am donating that protection to anyone who wants it.
Filtering by connection to the SMTP port, based on source address, very definitely DOES work.
Filtering packets based on source address makes Ciscos go way slow on every packet. Filtering based on destination address makes Ciscos go very fast on most packets and a little slower on SYN-ACKs.
Filtering at the SMTP SERVER LEVEL has no impact on CISCOs at all! Its also trivial. The current 8.8.x Sendmail code has provisions for it already in the code. The hooks take about 20 seconds to install, and one line to edit in a file to update. The impact on SMTP connection isn't even measurable for those who don't trip it, and for those who do, you can even return a rude message -- or a 421 error, which keeps the spam at the source (loading the spammers mailserver -- a GOOD thing!)
And again, unnecessary and overbroad. Filtering at the SMTP receiver port is perfectly fine, it works, and it doesn't prevent other traffic.
And, again, wrong. I want spammers to spend 75 seconds of TCP PCB time on me. By blackholing SYN-ACKs and not sending them ICMPs, they lose capacity that they could otherwise spend spamming other people. I call this "fighting dirty."
Again, wrong Paul. Sending back 421s to the spammers force them to waste not only the connection time, but the scan time on their disks. If lots of people do it they back up thousands of email messages, and THAT breaks their mail servers. This is a very good thing. Its even uglier than the 75 seconds, in that its cumulative and probably keeps that nice message on their disks (where it eats resolver resources, storage, and useless attempts at delivery) for up to five days. Much more elegant, in my opinion.
I operate a cooperative resource. I will not have it used against me. This is not negotiable. I pay for my part of the Internet and anyone who wants their traffic to traverse it has to make sure that I derive similar value, in the aggregate, to theirs when they send me traffic.
No argument -- as long as a public root server isn't there. If it wasn't I'd be SUPPORTING your black-hole list. But it is, and as such I'm not.
Actually it's not personal, it's economic. eDNS is piracy. Very different.
Riiiight...
Yes, but now that I've got the eBGP feed working I'm starting to do real time spam reporting/detection that will cause third party unintended relays to be disabled while a spammer is still trying to use them. Not everyone wants to spend that 30 seconds, and if we don't make spamming even less profitable than it is now, you'll be spending that 30 seconds 15 times per hour, 24x7.
Nonsense. Why not distribute the "block the SMTP port" list instead?
That's a point-source response to the problem Paul. Try it on sometime.
I prefer http://www.sendmail.org/antispam/ as far as that goes. But the problem isn't limited to a point, there are a LOT of people who want the same protection I work so hard to give myself, and I am donating that protection to anyone who wants it.
The point is, you can do that, hurt the spammers even more, and still find ways to distribute the file (it IS only a flat file Paul) on an automated basis, rapidly, if you want. AND, you don't cut off a non-related resource (a root nameserver) in the process. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Warning: there is actual technical content contained herein. If you joined NANOG just to hear endless nontechnical drivel, do not read this message.
Again, wrong Paul. Sending back 421s to the spammers force them to waste not only the connection time, but the scan time on their disks. If lots of people do it they back up thousands of email messages, and THAT breaks their mail servers. This is a very good thing. Its even uglier than the 75 seconds, in that its cumulative and probably keeps that nice message on their disks (where it eats resolver resources, storage, and useless attempts at delivery) for up to five days.
Much more elegant, in my opinion.
I don't think so. I remember the 421 discussion but the problem is that it's too easy for a spammer to reprogram their sending agent to treat it as a 500. With a lack of SYN-ACK all they can do is turn down their TCP connect timers, and if they turn them down low enough to avoid being hurt by my blackhole list then they will also give up on a large number of valid recipients -- we all win either way.
No argument -- as long as a public root server isn't there. If it wasn't I'd be SUPPORTING your black-hole list. But it is, and as such I'm not.
I had no idea this would be anyone's position. So be it. I'll put up an internal firewall to segregate F onto a blackhole-free subnet. This will take a week or so due to other time commitments.
Nonsense. Why not distribute the "block the SMTP port" list instead?
Because every Sendmail relay or end host would have to upgrade, and some sites run NT without Sendmail and they depend on vendors to do the updates. BGP relies on an existing infrastructure and it just works today, right now.
The point is, you can do that, hurt the spammers even more, and still find ways to distribute the file (it IS only a flat file Paul) on an automated basis, rapidly, if you want.
if (strncmp(response, "421", 3) == 0) strncpy(response, "501", 3);
AND, you don't cut off a non-related resource (a root nameserver) in the process.
That's a separable issue as you well know. I will separate it shortly. Can I expect a request from MCS for the blackhole feed in the next few weeks?
On Wed, 19 Feb 1997, Karl Denninger wrote:
Yes, but now that I've got the eBGP feed working I'm starting to do real time spam reporting/detection that will cause third party unintended relays to be disabled while a spammer is still trying to use them. Not everyone wants to spend that 30 seconds, and if we don't make spamming even less profitable than it is now, you'll be spending that 30 seconds 15 times per hour, 24x7.
Nonsense. Why not distribute the "block the SMTP port" list instead?
Anybody who wants to do a little gated hacking can take Paul's eBGP feed and export it to sendmail rather than using it to blackhole the traffic.
The point is, you can do that, hurt the spammers even more, and still find ways to distribute the file (it IS only a flat file Paul) on an automated basis, rapidly, if you want.
It's really the choice of the recipient of the data what they want to do with it. Paul just creates the list, he doesn't force anyone to accept the list or use it in a specific way. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-250-546-3049 http://www.memra.com - E-mail: michael@memra.com
Filtering by connection to the SMTP port, based on source address, very definitely DOES work.
Filtering packets based on source address makes Ciscos go way slow on every packet. Filtering based on destination address makes Ciscos go very fast on most packets and a little slower on SYN-ACKs.
Filtering at the SMTP SERVER LEVEL has no impact on CISCOs at all!
Its also trivial. The current 8.8.x Sendmail code has provisions for it already in the code. The hooks take about 20 seconds to install, and one line to edit in a file to update. The impact on SMTP connection isn't even measurable for those who don't trip it, and for those who do, you can even return a rude message -- or a 421 error, which keeps the spam at the source (loading the spammers mailserver -- a GOOD thing!)
Karl, The biggest problem with this is when you have 40 machines doing ESMTP service within a domain, spread around, coordinating changes to the config files on all the servers is a pain the proverbial buttocks. Having the routers pick up the list of no-no sites automatically means that much more engineering time available for working on more important issues, like maintaining good network connectivity.
I operate a cooperative resource. I will not have it used against me. This is not negotiable. I pay for my part of the Internet and anyone who wants their traffic to traverse it has to make sure that I derive similar value, in the aggregate, to theirs when they send me traffic.
No argument -- as long as a public root server isn't there. If it wasn't I'd be SUPPORTING your black-hole list. But it is, and as such I'm not.
I do see a problem with having a root nameserver on a line that's paid for by Paul; if he becomes less financially solvent, and can no longer afford to pay for his line, that nameserver becomes unreachable. The easy answer is to have the InterNIC fund Paul Vixie's net connection, to make sure that nameserver will always be reachable, and pitch in for a 4700 with a 6-pack ethernet module, and a 4-pack serial module; that way he can separate out private services on separate segments from the public services.
Yes, but now that I've got the eBGP feed working I'm starting to do real time spam reporting/detection that will cause third party unintended relays to be disabled while a spammer is still trying to use them. Not everyone wants to spend that 30 seconds, and if we don't make spamming even less profitable than it is now, you'll be spending that 30 seconds 15 times per hour, 24x7.
Nonsense. Why not distribute the "block the SMTP port" list instead?
BECAUSE IT MEANS HUMANS HAVE TO PUT THE BLOODY THING ON 40 DIFFERENT MACHINES EVERY TIME IT CHANGES! Sorry about shouting, but I'd much prefer a single config change over carrying out repeated tasks on multiple machines that for various reasons can't share filesystems across the net.
-- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Matt Petach
Paul Vixie said:
I operate a cooperative resource. I will not have it used against me. This is not negotiable. I pay for my part of the Internet and anyone who wants their traffic to traverse it has to make sure that I derive similar value, in the aggregate, to theirs when they send me traffic.
Karl Denninger said:
No argument -- as long as a public root server isn't there. If it wasn't I'd be SUPPORTING your black-hole list. But it is, and as such I'm not.
I understand Karl's position on this. But I would point out that there's a long history of public resources (such as root servers) being installed on parts of the net that have acceptable use policies. For example, there used to be root servers that were unable to send packets to sites that had not agreed to the NSFnet AUP. --apb (Alan Barrett)
On Wed, 19 Feb 1997 19:23:29 -0800 Paul A Vixie <paul@vix.com> wrote:
I prefer http://www.sendmail.org/antispam/ as far as that goes. But the problem isn't limited to a point, there are a LOT of people who want the same protection I work so hard to give myself, and I am donating that protection to anyone who wants it.
Paul thanks for all the work you are doing on the spamming front. It is apprecaited and it does work. Regards, Neil. -- Neil J. McRae. Alive and Kicking. Domino: In the glow of the night. neil@DOMINO.ORG NetBSD/sparc: 100% SpF (Solaris protection Factor) Free the daemon in your <A HREF="http://www.NetBSD.ORG/">computer!</A>
I am confused, how would filtering at the smtp port on source address work? If delivery fails, does not the sender often use MX records and send via an intermediary host? If so the source address is lost unless all the MX hosts have the same filter list. And in any case I believe that typically sendmail will accept email from anyone for delivery to anyone. So a spammer could scatter his emails all over the Internet thru thousands of intermediate hosts, if he used the right software to do it. Best Regards, Robert Laughlin ---------------------------------------------------------------------------- DataXchange sales: 800-863-1550 http://www.dx.net Network Operations Center: 703-903-7412 -or- 888-903-7412 ---------------------------------------------------------------------------- On Wed, 19 Feb 1997, Karl Denninger wrote:
Filtering by domain names doesn't work. Filtering by email source address doesn't work. Complaining, by itself, doesn't work. Asking to be removed from the spammer's spam list VERY DEFINITELY doesn't work.
Filtering by connection to the SMTP port, based on source address, very definitely DOES work.
Removing people from the cooperative portion of the Internet works fine.
Overbroad and unnecessary.
If those of us who "fight spam" laid back and did nothing, you and every other online Internet user would be getting ten spams an hour by this time. It took a legal judgement against Sanford Wallace to get him to stop spamming all of AOL and Compuserve. Jeff Slaton finds it hard to get a new internet connection every time he soils a new nest.
And again, unnecessary and overbroad. Filtering at the SMTP receiver port is perfectly fine, it works, and it doesn't prevent other traffic.
The BGP peerage pressures are trending the Internet toward settlements, which is not a cooperative economic system. In such a system it will be hard as nails to get a new ISP started since the people you want to peer with won't want you as anything but a customer. However, the one side benefit will be that spamming will cost as much, or more, than postal system advertising. I would like to solve the problem with social pressure, but sooner or later it will be solved by making a new noncooperative economic underpinning.
CIDR and provider-based network numbering has already done that Paul, unless you like being tied to your upstream provider in perpetuity.
Or, in the other case, you only like selling dynamic dial-up with no permanent addresses mapped to DNS names *anywhere* on your network or those of your customers. Those ISPs *ARE* a dying breed, if they're not already dead.
Wholesale filtering sets an ugly precedent. If someone was sending SYN packets with random port numbers it would be one thing (and the only effective thing that could be done) but in this particular case it is neither necessary NOR, in my opinion, appropriate for a network which operates a *PUBLIC* resource.
You speak of cooperative models on one hand, yet don't support those on the other (e.g. eDNS). The truth is evident when you start erecting full-blown packet filters, which are unnecessary, as a response to a personal affront.
It took me 30 seconds to add Earthlink's POPs to my SPAM-blocker SMTP port reject list this morning. That has a near-zero impact on legitimate email delivery, but it stops cold any attempt to relay spam through our mailservers.
That's a point-source response to the problem Paul. Try it on sometime.
-- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
I am confused, how would filtering at the smtp port on source address work?
What you do is return a 421 error if you don't "like" the source address (this is checked very early on). You can also return a 500-series error, but that generates an immediate bounce, which is "nice" to the spammer. I prefer to be nasty and eat their resources instead.
If delivery fails, does not the sender often use MX records and send via an intermediary host?
Not if you return a 400-series error. The host doing the sending will retry. If you block at the packet level, then yes, the sender will go to a secondary MX *IF* there is one and it can be reached. The 421 response is the best possible one, because it screws the sender, is cheap compute-wise for you, and has the desired effect without causing other disruption.
If so the source address is lost unless all the MX hosts have the same filter list. And in any case I believe that typically sendmail will accept email from anyone for delivery to anyone. So a spammer could scatter his emails all over the Internet thru thousands of intermediate hosts, if he used the right software to do it.
Best Regards, Robert Laughlin
He has to be able to inject it in the first place. As more potential relays implement this, that becomes much harder. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
On Wed, 19 Feb 1997, Paul A Vixie wrote:
The people who have signed up to receive my blackhole feed in real time all pretty much trust me to restrict my additions to things which violate the cooperative economics underlying the 'net. I take it that you weren't at the San Francisco NANOG so you didn't get to hear my talk on this subject.
I trust you as well, Paul. You've been doing this for too long to be some crazy conspiracist with a hidden agenda. I don't doubt that every one of these sites deserves this treatment. But you are presuming to exert control over a public resource. I don't care if you pay for it, you provide it to the public for public consumption and IMO you should not practice this sort of thing. If you don't like this, no one's making you personally provide for the root server - let someone else do it. Regardless, let people decide for themselves who they want and don't want to talk to. Circulating a list of known spammers is one thing - it's still up to me to block them. Assuming you have the right to block someone for me is something I'm opposed to, in principle at least. The temptation to block someone for "other" reasons (political, for instance) is just too much; if it's not you, then someone else will do it.
I will not have network resources I pay for, used to spam me, or to spam others. I have the right of use and/or disposal of my own property. People who spam are committing "theft of service" and my Ip reachability matrix is better off without such people in it.
What you pay for is your business. I could care less if you block everything. What you provide to the public is something else entirely.
No, it isn't. You have guests and other users. If you have IP customers, then they have guests and other online users. By accepting spam you allow your resources (which you offer for cooperative reasons) to be used in a noncooperative way. If you have downstream customers you are subjecting them to the same abuse.
We offer our customers Internet access, and when they complain about spammers we do something about it. However, what we do affects only our network and our customers. It does not affect the world as a whole?
Removing people from the cooperative portion of the Internet works fine.
They'll come on from somewhere else. You can't block everyone, and someone will always be willing to make a buck providing access to these people.
I won't stop until it's socially unacceptable. When 800 phone sex people move offshore I block entire Pacific islands until they lose even those connections.
Again, you can't block everyone. Why you feel it necessary to impose your social mores on the net as a whole is beyond me. shag Judd Bourgeois PGP key ID 0xEDC21CA1 shagboy@world.std.com 25DDE4AF C5AFEF51 6905DC77 360F0387 To all my friends - It's not the end The earth has not swallowed me yet - 311, "Freak Out"
Removing people from the cooperative portion of the Internet works fine.
They'll come on from somewhere else. You can't block everyone, and someone will always be willing to make a buck providing access to these people.
And I will, I hope, always be standing by to remove those providers from my view of the address space. And I will make my blackhole list available, free of charge, to anyone else who trusts my judgement in this matter. You underestimate the power of the light side of the force.
Again, you can't block everyone. Why you feel it necessary to impose your social mores on the net as a whole is beyond me.
Yes, it is beyond you. Thanks for pointing that out, it saves me time.
participants (8)
-
Alan Barrett -
Karl Denninger -
Matthew Petach -
Michael Dillon -
Neil J. McRae -
Paul A Vixie -
Racer X -
Robert Laughlin