Re: short Botnet list and Cashing in on DoS
i was recently chastised for posting non-operational content to nanog, and so, while i am willing to beat the drum for source address validation, i'm very concerned about commenting further in what has to be the 40th or 50th version of this thread in the last ten years. with trepidation, then:
there are many ways of sending spam that dont use port 25..
True, but reducing spam from millions to thousands seems like something good, no?
no. (thanks for asking.) that's not good. network abuse is a very strong economic force -- whether it's spam, ddos-for-hire, or whatever. blocking port 25 will make legitimate smtp permanently hard to use, while making non- legitimate smtp temporarily hard to use. if i learned anything at MAPS, it was that taking actions which merely harden, toughen, and educate spammers is counter-productive. good counteractivity must be recombinant, not just reactive. short term effectiveness is completely irrelevant, and not "good."
individual rules are costly to implement and users wont use a service where you have to pay more for basic services
Several big ISP's are blocking port 25 now. I believe this will catch.
had this been done in 1998 when the anti-spam community first warned about it, then a lot of good could have been done. but network abuse takes many more forms than smtp delivery now. stopping outbound tcp/25 won't make any notable difference to a network's support costs, by the end of the year. on the other hand, source address validation would make a notable difference in support costs, by the end of the first quarter after it was deployed.
It limits the amount of junk coming out from their users, and the usage of their tubes.
no. blocking outbound tcp/25 would not have that effect. doing BCP38 would.
I doubt even 0.001% of dynamic range Cable/DSL users will ever call to ask for port 25 to be opened.
This is something ISP's can implement, and it works.
if you define "works" very narrowly, perhaps as "causes the next wave of abuse coming from your network to not be in the form of outbound tcp/25", then i'd have to agree. but i don't define "works" that way since it will just shift costs toward the following months, after the attackers retune for their reduced capability (perhaps by inventing some new capabilities). -------- i have a suggestion. if you're going to propose some method of curbing network abuse, which operates at something other than the IP layer, then please find a different forum. also, read vjs's "you might be" article. and when you're educated as to what's been tried and what's been done, and you find a forum where your proposal will be found interesting, then please cast your proposal in the following terms: "we implemented source address validation toward our customers as described in BCP38, and it wasn't good enough, so we did $X as well, and it had benefit $Y and cost $Z". (cc me!)
participants (1)
-
Paul Vixie