Re: short Botnet list and Cashing in on DoS
Most ISP's truly don't want this as their own problem. I personally don't blame them. Luckily the ISP I work for has no home users.
Most ISP's wouldn't have to deal with this problem if corporations took the time to release better products. I was faced with the question of "What do you do for infected clients?" What can an ISP do. Most of the times ISP's become the de facto MS technical support team and it is rather unfair and costly to have technical support staff on the phone constantly putting out MS' fires. They are left with the prospect of losing clients when the client is told "It's an MS problem you have to contact MS", yet they've called MS and spoke with someone likely in another country who has no clue, called Dell and spoke with yet another clueless person, and all they wanted to do was surf the net. What do you tell a client when they start stating "Well then I want to cancel my service" because they don't understand, and won't care to since they're frustrated. Sure take a hit with one client cancelling an account, what happens when it grows? As for the prior responses of "You will get DoS'ed" this I am aware of. Problems that concerned me were more of the tracking issues, coupled with the fact that there would be no guarantee that admins would do anything about it. Take the case of that one Californian who hijacked a /16 a while back I believe from a county over there. Admins like this are liable to sit back and do nothing since along the line someone is going to be paying money for the traffic. It is rather sad, and worse when you contact their upstream and they too do little. Consider (and I will keep mentioning them this since it bugs me) EV1, Everybody's Internet. Not only do they host some botnets, malware spewing servers, spam relays, terrorists related sites, their excuse is "Well we don't know who we rent to" Now I know laws are being worked in along the way, but if you own a home and rent it out, then it gets subletted, the re-sub'ed, let's say fifty transactions occurred, you own the home. If someone down the line is running drugs out of the apartment your house is gone. Yes their is little that can be done right now, but yet there ARE things that CAN BE DONE. I'm one that is skeptical about laws since laws abroad would mean nothing here and vice versa, but where are things headed? Spend more on infrastructure to support these issues when you shouldn't have to or buy bigger equipment to handle filtering when you shouldn't have to. I say nip it at the bud, if you're an upstream provider and you see some of these issues, three strikes shut these things down, or nullroute them, don't just sit twiddling your thumbs "Oh but that won't help your idea is silly because foo_x reason." Have something better in mind propose it. I'm sure some of these networks that are getting DoS'ed out of existence would love to hear them. Hell some might even pay you to implement them. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory"
On Fri, 8 Oct 2004, J. Oquendo wrote:
this since it bugs me) EV1, Everybody's Internet. Not only do they host some botnets, malware spewing servers, spam relays, terrorists related sites, their excuse is "Well we don't know who we rent to" They don't. When you have few thousands of dedicated servers and you can claim that you know *exactly* what is each server used for, then you can talk back.
Now I know laws are being worked in along the way, but if you own a home and rent it out, then it gets subletted, the re-sub'ed, let's say fifty transactions occurred, you own the home. If someone down the line is running drugs out of the apartment your house is gone. And these laws (drug forfeiture) are grossly unfair, are used as a revenue generator by many municipalities, thus increasing pressure on prosecutors to try to seize as much as they can. Let's not use one bad law as an excuse to have more.
Yes their is little that can be done right now, but yet there ARE things that CAN BE DONE. I'm one that is skeptical about laws since laws abroad would mean nothing here and vice versa, but where are things headed? Spend more on infrastructure to support these issues when you shouldn't have to or buy bigger equipment to handle filtering when you shouldn't have to. I say nip it at the bud, if you're an upstream provider and you see some of these issues, three strikes shut these things down, or nullroute them, don't just sit twiddling your thumbs "Oh but that won't help your idea is silly because foo_x reason." Have something better in mind propose it. I'm sure some of these networks that are getting DoS'ed out of existence would love to hear them. Hell some might even pay you to implement them. Don't sit twiddling your thumbs coming up with Final Ultimate Solutions to DDoS problems (FUSSDP) ideas and refusing to listen to foo_x reasons why it won't work. Listen and come up with better ideas, we'll love to hear them. Present them at BOF at NANOG.
-alex
Most ISP's wouldn't have to deal with this problem if corporations took the time to release better products. I was faced with the question of "What do you do for infected clients?" What can an ISP do. Most of the
An ISP doesn't really have to do anything, either. As long as it is not in their financial interest or they are bound to it by law. Thing is, not everybody even calls tech support.
times ISP's become the de facto MS technical support team and it is rather [snip] understand, and won't care to since they're frustrated. Sure take a hit with one client cancelling an account, what happens when it grows?
You lose. But how much does it cost to hire a few more tech support guys? But as much as you might invest in tech support, some never even answer abuse mail.
As for the prior responses of "You will get DoS'ed" this I am aware of.
Actually, almost a year ago I heard somebody say: "Protection money? Online?!" Pay us or we will DDoS you?! That's stupid. In real life if you payed you at least know that the bad guys: (1) Really won't trash your place. (2) Will stop others from trashing your place. Online, say you paid - so what? They can still DDoS you, and if they won't.. who says somebody else won't? With every kiddie owning so many Cable/DSL ranges.. it is plain and simple scary.
this since it bugs me) EV1, Everybody's Internet. Not only do they host some botnets, malware spewing servers, spam relays, terrorists related sites, their excuse is "Well we don't know who we rent to"
[snip] I don't care if they see it and don't do anything, I'd start with them answering abuse mail.
Yes their is little that can be done right now, but yet there ARE things that CAN BE DONE. I'm one that is skeptical about laws since laws abroad would mean nothing here and vice versa, but where are things
Not necessarily, but yes.. there are always countries like North Korea.
headed? Spend more on infrastructure to support these issues when you shouldn't have to or buy bigger equipment to handle filtering when you shouldn't have to. I say nip it at the bud, if you're an upstream provider and you see some of these issues, three strikes shut these things down, or nullroute them, don't just sit twiddling your thumbs "Oh but that won't help your idea is silly because foo_x reason." Have something better in
[snip] I truly believe that if the uplinks wanted spam, viruses and the rest of the dirt out of their tubes, they would manage it. Thing is - why should they? (1) Their clients don't like to be "censored". (2) It's an headache and a setback, on *all* levels. (3) Everybody in the food chain pays for bigger tubes. Gadi.
Most ISP's wouldn't have to deal with this problem if corporations took the time to release better products.
The average corporation is in business to make money. Releasing a better product than is required to enable revenue and deal with competition would be irresponsible to their shareholders. But let's stay out of that rathole on this latest trip down this topic.
I was faced with the question of "What do you do for infected clients?" What can an ISP do.
1. Do BCP38. Have your CFO read SAC004. Implement source address validity checks. Ensure that the ~50% or more of DDoS packets generated in the world that has invalid source addresses cannot come from your network -- this will make botnets made up of your clients less valuable in the ddos-for-hire world -- in other words, malfeasants will try less hard to create them, and other malfeasants will pay less to acquire them. 2. Filter aggressively. Run a dark-net, and if one of your customers hits it, blackhole their /32 for both inbound and outbound traffic, flag their record in your customer database, and wait for them to call. When they call, give them a list of anti-virus products for their 'puter, and the phone numbers (yes, sorry, no web access for them at the moment) of some vendors. This will cost you some top line revenue, but save your margins.
... Yes their is little that can be done right now, but yet there ARE things that CAN BE DONE. ... I say nip it at the bud, if you're an upstream provider and you see some of these issues, three strikes shut these things down, or nullroute them, don't just sit twiddling your thumbs "Oh but that won't help your idea is silly because foo_x reason." ...
Yea, verily. This is not an impossible problem for this community; it is only an impossible problem for any one of us acting totally independently. And while the solution isn't instant, the tide CAN be turned. -- Paul Vixie
Yea, verily. This is not an impossible problem for this community; it is only an impossible problem for any one of us acting totally independently. And while the solution isn't instant, the tide CAN be turned.
Problem is, we are a fighting a war we already lost. It's put out a fire here and there, and break a wave while you're at it. How about seeing some simple measures such as blocking outgoing port 25? at ISP's? Not a perfect solution, but it's a partial solution for some of the problems. Combined with other solutions we could start seeing a change. Gadi.
Gadi Evron wrote:
Problem is, we are a fighting a war we already lost. It's put out a fire here and there, and break a wave while you're at it.
How about seeing some simple measures such as blocking outgoing port 25? at ISP's? Not a perfect solution, but it's a partial solution for some of the problems. Combined with other solutions we could start seeing a change.
Blocking ports one by one and filling the Internet by application level proxies (SMTP gateways for port 25) is not a road worth travelling. Pete
Blocking ports one by one and filling the Internet by application level proxies (SMTP gateways for port 25) is not a road worth travelling.
Pete
Blocking port 25 for dynamic ranges means they can't send email, so that drone are pretty useless for spammers on that account. Trojan horses would have to use local information for the user's own account (from Outlook or such). ISP's could then, I suppose, limit every user to 5 emails a minute (or any other number). That combined with domain-keys and sender-ID could make for a much prettier Internet, don't you think? Abuse using port 25 is a major issue today, why not solve it? If a user wants it open, they could always ask for it or even pay more money. Perhaps move to a static IP? Gadi.
Gadi Evron wrote:
Blocking port 25 for dynamic ranges means they can't send email, so that drone are pretty useless for spammers on that account. Trojan horses would have to use local information for the user's own account (from Outlook or such).
Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam today?
ISP's could then, I suppose, limit every user to 5 emails a minute (or any other number).
That combined with domain-keys and sender-ID could make for a much prettier Internet, don't you think?
You're fixing the symptom, not curing the cause. The immediate root cause is a compromised PC which among other things does send mail across port 25. It´ll also send mail using x-y-z webmail or misconfigured forms, etc.
Abuse using port 25 is a major issue today, why not solve it? If a user wants it open, they could always ask for it or even pay more money. Perhaps move to a static IP?
It would be much more beneficial to deny all packets from AS's which don't have abuse in control. Pete
Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam today?
There is the issue of usability. Why does a Cable user on a dynamic range need SMTP open?
You're fixing the symptom, not curing the cause. The immediate root cause is a compromised PC which among other things does send mail across port 25. It´ll also send mail using x-y-z webmail or misconfigured forms, etc.
Webmail, etc. could and would be used, but instead of millions of messages sent openly from each drones - there would be hundreds, maybe thousands.
It would be much more beneficial to deny all packets from AS's which don't have abuse in control.
That's not going to happen any time soon, and if only one ISP does it.. imagine the tech support screams? I'd rather treat the symptoms. After all, the symptom of high-temperature is not the illness itself, but it could kill. Gadi.
Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam
today?
There is the issue of usability. Why does a Cable user on a dynamic range need SMTP open?
Because I am running my own SMTP server @ FreeBSD, for example. It is MY concern, not ISP concern. .
On Sat, 9 Oct 2004, Alexei Roudnev wrote: Then get yourself a personal colo (http://www.vix.com/personalcolo/) A dynamic ip is no place for a server of any kind. And it IS the isp's concern. Most of them would consider running a mail server on a home-user grade cable connection to be in violation of their AUP if push came to shove, and they have every right to block you. -Dan
Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam
today?
There is the issue of usability. Why does a Cable user on a dynamic range need SMTP open?
Because I am running my own SMTP server @ FreeBSD, for example. It is MY concern, not ISP concern.
.
-- "She's been getting attacked by these leeches, they're leaving these marks all over her neck. You gotta keep her out of those woods. If one more leech gets her, she's gonna get a smack." -Someone's Mother, December 18th, 1998 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Then get yourself a personal colo (http://www.vix.com/personalcolo/) A dynamic ip is no place for a server of any kind.
right! to use the internet as an end host/customer i have to go get colo, transit there, ... cool! randy
On Sat, 9 Oct 2004, Alexei Roudnev wrote:
Then get yourself a personal colo (http://www.vix.com/personalcolo/) A dynamic ip is no place for a server of any kind. It is wrong - dynamic IP is just a dynamic IP. Nothing more.
if you are doing any filtering, do not name it IP; nname it _home network with elements of IP_, for example.
And it IS the isp's concern. Most of them would consider running a mail server on a home-user grade cable connection to be in violation of their AUP if push came to shove, and they have every right to block you.
Incorrect - they do not have any such AUP in place. It is your fantasy.
-Dan
Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam
today?
There is the issue of usability. Why does a Cable user on a dynamic range need SMTP open?
Because I am running my own SMTP server @ FreeBSD, for example. It is MY concern, not ISP concern.
.
--
"She's been getting attacked by these leeches, they're leaving these marks all over her neck. You gotta keep her out of those woods. If one more leech gets her, she's gonna get a smack."
-Someone's Mother, December 18th, 1998
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
In article <416833A2.9030503@linuxbox.org> you write:
Next you'll block SIP if we start getting "spam calls"? Or any other application that pops up and is used by the same people sending spam today?
There is the issue of usability. Why does a Cable user on a dynamic range need SMTP open?
Cable modem users don't need the IPS's servers for outgoing email. They have the "always on" connection needed to reliably deliver email. The only reason email went via ISP's servers back in the dialup days was to get reliable delivery. In the US there is even more insentive to bypass the ISP's servers. Look are the way they have interpreted the wire tap laws. Sane end users would also be configuring there systems to detect interception of email. Crypto was added to SMTP for a reason. ISP's shouldn't be getting in the way of using it. Mark
Pardon for my possibly ill informed interjection. I was under the impression that the current wind was blowing towards filtering outbound port 25 traffic while allowing outbound authenticated port 587 traffic? The though being that while this was not a FUSSP, it help to prevent unauthenticated "direct to mx" abuses. On 10 Oct 2004, at 03:24, Mark Andrews wrote:
In the US there is even more insentive to bypass the ISP's servers. Look are the way they have interpreted the wire tap laws.
This would allow customers to access remote mail servers to avoid ISPs who agree with the (mis)interpretation of the wire tap laws. On 9 Oct 2004, at 23:40, Alexei Roudnev wrote:
Because I am running my own SMTP server @ FreeBSD, for example. It is MY concern, not ISP concern.
Customers (mis)use of their connection is always the ISPs concern. If you are paying a premium for a Pure Pipe (tm), then yes, the way your server functions is your concern, however, since your actions directly influence how other networks accept or deny mail from your ISP as a whole it is very much their concern how you use your connection. On 9 Oct 2004, at 15:45, Paul Vixie wrote:
blocking port 25 will make legitimate smtp permanently hard to use, while making non- legitimate smtp temporarily hard to use.
I disagree, it will temporarily cause many, many people to have broken implementations and temporarily increase load tremendously on call centers. Working for an ISP that does port 25 filtering has not negatively impacted our users ability to use SMTP in any permanent fashion. I don't under estimate the ability of software vendors and ISPs to roll out new requirements for SMTP to customers in a relatively painless fashion. Our ISP is currently making the transition from SMTP to Authenticated SMTP (we will be discontinuing the former) and I would see implementing port 25 blocking in much the same light with regards to implementation cost and the increased difficulty of using SMTP legitimately. I agree that BCP 38 should be implemented. I agree that BCP 38 will have a greater affect on network abuse than port 25 filtering. They both have their place and address to partially overlapping groups of abuse imho.
Pardon for my possibly ill informed interjection. I was under the impression that the current wind was blowing towards filtering outbound
It is not true, as I know; moreover, the day when I receive such proposal from my ISP will be my last day with this ISP, so it will be for many others. Reason is simple - it IS NOT THEIR DUMB CONCERN, they are I(nternet)S(ervice)P(rovider) (not (WSP, Www Service Provider, for example). It is American using to think that others are so dumb that you must think instead of them... but people are smart, sorry. But I am not saying that it exclude AUP - yes, I should not abuse AUP, which may restrict me from sending or relaying spam, can restrict me from using more traffic in average than I signed for (it is common in most East Europe countries, for example), can require me to well control my resources... Yes, if I maintain mail relay myself, I am responsible for not sending spam, and if it is used for sending spam, it is AUP violation and ISP have right to restrict port 25; if I host child porn, it is AUP violation, and so on... Using port 25 is not AUP violation, in no way. (But if your mail relay require my relay to be in DNS and so can reject mail from it, it is your right as not my ISP but owner of _your_ hosts - so in reality I will maintain mixed mode SMTP only, sending the rest of mail to my provider...). (Even simpler. I use e-mail; erver in Rusia, and I send SMTP mail directly to it, and I do not want to use my provider's mail relay - so I use port 25. Not any problem with AUP). And remember, many relays use POP authenticaltion to allow SMTP from the same IP address. (Do not said about wiretapping, it is 99% kids games - everyone who want his messages do not be wiretapped can do it easily, on today's Internet... I personallty am 0% concerned about it - if some big boys (no matter in which country) wanna play kid game - let them do it, to prevent crying and depression - I hate crying kids, esp big ones...). But - it does not eliminate some smart technologies, such as having default firewall service. If I was in ISP business today, I'd propose it for all customers, allowing them to turn it off / on by simple button on the WWW (or by calling my support group). It is another thing - this is SERVICE. SERVICE does not make decisions instead of customer(s), it add value if customer want. What's about SMTP. it is simple. I use ISP from provider A. I use MAIL service from few other providers, and I can use port 25 to communicate with them (for example, using POP/SMTP mixed authentication schema). Any 25 port filtering will cause me to complain to ISP, ask money back and break contract with them (may be, sue them for AUP violation from THEIR side!). Good policy (see above) whould be: - they allow me to control port 25 and other things - If I keep their default policy, I am not responsivbvle for possibvle breakage, spam and so on from my site. - If turn this off, I became responsible.
On Sun, 10 Oct 2004, James Baldwin wrote:
I agree that BCP 38 should be implemented. I agree that BCP 38 will have a greater affect on network abuse than port 25 filtering. They both have their place and address to partially overlapping groups of abuse imho.
Be conservative in what you send is an excellent philosophy. And within a product generation or two, vendor equipment will almost capable of supporting it. Even Cisco has realized uRPF isn't a complete solution. Cisco's marketing department came up with multiple differently named IP sourceguard, Cable source verify, unicast reverse path filtering; which confuses both technical and non-technical people. But too many boxes still crumble if you turn them on, if you are even able to turn them on. But BCP38 doesn't immediately help the ISP. Several ISPs have implemented BCP38, and it has very little return on investment. It actually has a negative return because people are dumb. People think BCP38 means the packets could only originate from you. In reality, BCP38 only helps you with where the spoofed packets did NOT originate. But people don't complain to the source of spoofed packet. People complain to IANA about attacks coming from Net-10. I know the Net-10 packets didn't originate from me, but it doesn't mean the Net-64 packets did. On the other hand, NAT, banning servers, blocking port 25, file sharing bandwidth limits all have much faster return on investment from the ISP point of view. They may be more harmful in the longer term. But even your friends don't like it when you try to do the right thing. Microsoft removed "raw" sockets from XP SP2. Doesn't that make you feel safer? I have received complaints from people about NOT being able to spoof packets.
SD> Date: Sun, 10 Oct 2004 21:35:33 -0400 (EDT) SD> From: Sean Donelan SD> People think BCP38 means the packets could only originate SD> from you. Were BCP38 universal, this would be true. If one receives a packet, it's either from the supposed source or a network that allows spoofing. If no networks allow spoofing, it came from the supposed source. SD> [P]eople don't complain to the source of spoofed packet. SD> People complain to IANA about attacks coming from Net-10. They complain to the perceived source. Many Internet users are shocked at how trivial it is to forge email/packet sources; I guess they're used to services like caller ID where the end user isn't [traditionally] given the power to spoof. Then there's postal mail. At least sending spoofed packets is more costly than IP, and end-user packets frequently are tagged with an ingress label. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked.
On Sun, 10 Oct 2004 15:06:17 -0400, James Baldwin <jbaldwin@antinode.net> wrote:
Pardon for my possibly ill informed interjection. I was under the impression that the current wind was blowing towards filtering outbound port 25 traffic while allowing outbound authenticated port 587 traffic? The though being that while this was not a FUSSP, it help to prevent unauthenticated "direct to mx" abuses.
Well, the wind blows where it wants... 587 and its relatives are useful for enterprise firewall penetration as well as for environments where ISPs incorrectly block port 25, and they make it possible to do SPF and similar sender-ID protocols in those environments (which are otherwise awkward.) For an ISP, you don't just "allow" 587 - the normal definition of Internet service is to allow everything unless there's a good reason not to, as opposed to deny-most firewalls. We've had the "blocking port 25" discussion too many times before, and I'll second Paul Vixie's call to go implement BCP38 first. ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
BS> Date: Mon, 11 Oct 2004 10:52:45 -0700 BS> From: Bill Stewart BS> [T]he normal definition of Internet service is to allow BS> everything unless there's a good reason not to, as opposed to BS> deny-most firewalls. Perhaps that's part of the problem. Has AOL's SMTP proxying and blocking driven it out of business? How much abuse do people see from, say, AOL netblocks versus SBC netblocks? "Disable unless needed" has long been considered prudent for servers. With end-user machines numbering orders of magnitude higher, why should they be held to drastically lower standards? Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked.
Speaking on Deep Background, the Press Secretary whispered:
Abuse using port 25 is a major issue today, why not solve it? If a user wants it open, they could always ask for it or even pay more money. Perhaps move to a static IP?
Greed. I'd cheerfully pay a REASONABLE amount for same. Say the $5/month I did a few years ago. But the beancounters say, oh no, that's COMMERCIAL service, for .GT. 5x the price. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sat, 9 Oct 2004, Gadi Evron wrote:
Blocking port 25 for dynamic ranges means they can't send email, so that drone are pretty useless for spammers on that account. Trojan horses would have to use local information for the user's own account (from Outlook or such).
my users like being able to send email. i dont think this can work! (and there are many legit reasons for not using our own smtp servers.. indeed we have custs on other ISPs network who use our smtp server)
ISP's could then, I suppose, limit every user to 5 emails a minute (or any other number).
5 emails or 5 recipients? i can send one email with hundreds/thousands of rcpts.. and again, there are lots of legit reasons for sending a batch of emails
That combined with domain-keys and sender-ID could make for a much prettier Internet, don't you think?
you mean SPF? i agree, use as many tools as are available in conjunction with something like spamassassin to score mails as likely spam
Abuse using port 25 is a major issue today, why not solve it? If a user wants it open, they could always ask for it or even pay more money. Perhaps move to a static IP?
there are many ways of sending spam that dont use port 25.. individual rules are costly to implement and users wont use a service where you have to pay more for basic services Steve
there are many ways of sending spam that dont use port 25..
True, but reducing spam from millions to thousands seems like something good, no?
individual rules are costly to implement and users wont use a service where you have to pay more for basic services
Several big ISP's are blocking port 25 now. I believe this will catch. It limits the amount of junk coming out from their users, and the usage of their tubes. I doubt even 0.001% of dynamic range Cable/DSL users will ever call to ask for port 25 to be opened. This is something ISP's can implement, and it works. Gadi.
On Sat, 9 Oct 2004, Gadi Evron wrote:
there are many ways of sending spam that dont use port 25..
True, but reducing spam from millions to thousands seems like something good, no?
their market wont change tho, you will just force them to use another method.. at one time open relays were almost exclusively the way used to send spam, now they arent nearly as popular (or available) you can see the same with other problems eg dos attacks were once all smurfs, a lot of effort was put into removing amplifiers and now we have the botnets.. i'm not saying do nothing, just only do things which make sense and are practical
individual rules are costly to implement and users wont use a service where you have to pay more for basic services
Several big ISP's are blocking port 25 now. I believe this will catch.
we need to look at some examples and what theyre doing exactly.. some redirect it forcibly to their own servers. but i believe this approach is limited in how you can apply it.. someone like aol can pretty well classify their users as low end residential and thats fine ... but move away from this and special requirements start creeping in and exceptions are not scalable enough.
It limits the amount of junk coming out from their users, and the usage of their tubes.
I doubt even 0.001% of dynamic range Cable/DSL users will ever call to ask for port 25 to be opened.
i'd suggest your estimate is too low based on all end users
This is something ISP's can implement, and it works.
this is something *some* isps can do ... and i'm not arguing that we shouldnt do these little things but its just one limited way and serves more to reduce problems with your own users than to reduce inbound spam Steve
If my ISP block port 25, I'll change ISP next day. But if it will be _configurable_ (blocked by default, but I can change setting by simple openimng web page and select checkbox) - why not. ----- Original Message ----- From: "Petri Helenius" <pete@he.iki.fi> To: "Gadi Evron" <ge@linuxbox.org> Cc: "Paul Vixie" <vixie@vix.com>; <nanog@merit.edu> Sent: Saturday, October 09, 2004 11:13 AM Subject: Re: short Botnet list and Cashing in on DoS
Gadi Evron wrote:
Problem is, we are a fighting a war we already lost. It's put out a fire here and there, and break a wave while you're at it.
How about seeing some simple measures such as blocking outgoing port 25? at ISP's? Not a perfect solution, but it's a partial solution for some of the problems. Combined with other solutions we could start seeing a change.
Blocking ports one by one and filling the Internet by application level proxies (SMTP gateways for port 25) is not a road worth travelling.
Pete
Paul Vixie wrote:
2. Filter aggressively. Run a dark-net, and if one of your customers hits it, blackhole their /32 for both inbound and outbound traffic, flag their record in your customer database, and wait for them to call. When they call, give them a list of anti-virus products for their 'puter, and the phone numbers (yes, sorry, no web access for them at the moment) of some vendors. This will cost you some top line revenue, but save your margins.
This can be automated to a level where the customer is redirected to a self-service portal allowing him/her to clean up the PC (if at all possible) and after that has been done the connectivity is restored. Saves your helpdesk a call and helps the margins further. (although the productized solution costs some, but the net effect is still the same) Pete
1. Do BCP38. http://rfc.net/bcp0038.html
Have your CFO read SAC004. http://www.icann.org/committees/security/sac004.htm
Implement source address validity checks. http://www.cisco.com/en/US/tech/tk828/tk363/technologies_tech_note09186a0080...
2. Filter aggressively. Run a dark-net, http://www.cymru.com/Darknet/
Hunt down documents like these, post links to them on your intranet, print them out and post them in your offices, write executive summaries of them, i.e. one short paragraph that managers can understand, and then email these summaries to decision makers. Eventually people do act on this knowledge. They may think it was their own idea, but that isn't as important as making the effort. --Michael Dillon
participants (16)
-
alex@pilosoft.com
-
Alexei Roudnev
-
Bill Stewart
-
Dan Mahoney, System Admin
-
David Lesher
-
Edward B. Dreger
-
Gadi Evron
-
J. Oquendo
-
James Baldwin
-
Mark Andrews
-
Michael.Dillon@radianz.com
-
Paul Vixie
-
Petri Helenius
-
Randy Bush
-
Sean Donelan
-
Stephen J. Wilcox