The End-To-End Internet (was Re: Blocking MX query)
----- Original Message -----
From: "John Peach" <john-nanog@johnpeach.com>
On Tue, 4 Sep 2012 11:57:38 -0400 (EDT) Jay Ashworth <jra@baylink.com> wrote:
SMTP Auth to *arbitrary remote domains' MX servers*? Am I missing something, or are you?
I run an MTA on my server and auth to that from laptops and other clients. Relaying allowed for authorised users.
So, in other words, it's ok to rant and stomp our feet about the end-to-end architecture and how critical it is to support in order to diss NAT, but we're required to ignore it when discussing SMTP? I'm not sure I'm following, there. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On 9/4/12 9:05 AM, Jay Ashworth wrote:
----- Original Message -----
From: "John Peach" <john-nanog@johnpeach.com>
On Tue, 4 Sep 2012 11:57:38 -0400 (EDT) Jay Ashworth <jra@baylink.com> wrote:
SMTP Auth to *arbitrary remote domains' MX servers*? Am I missing something, or are you?
I run an MTA on my server and auth to that from laptops and other clients. Relaying allowed for authorised users.
So, in other words, it's ok to rant and stomp our feet about the end-to-end architecture and how critical it is to support in order to diss NAT, but we're required to ignore it when discussing SMTP?
I'm not sure I'm following, there.
Feelings on spam = "this is why we can't have nice things" ~Seth
If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same? Use your MX or SPF senders as your outbound mail agent, especially if they are properly configured with full DNS records so we can tell they are the correct machines to be sending on your behalf, or expect that you will get more mail bounced and lost than the average user because you are being unpredictable and unverifiable. On 09/04/2012 11:05 AM, Jay Ashworth wrote:
----- Original Message -----
From: "John Peach" <john-nanog@johnpeach.com> On Tue, 4 Sep 2012 11:57:38 -0400 (EDT) Jay Ashworth <jra@baylink.com> wrote:
SMTP Auth to *arbitrary remote domains' MX servers*? Am I missing something, or are you? I run an MTA on my server and auth to that from laptops and other clients. Relaying allowed for authorised users. So, in other words, it's ok to rant and stomp our feet about the end-to-end architecture and how critical it is to support in order to diss NAT, but we're required to ignore it when discussing SMTP?
I'm not sure I'm following, there.
Cheers, -- jra
-- Daniel Taylor VP Operations Vocal Laboratories, Inc dtaylor@vocalabs.com 952-941-6580x203
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same?
Use DKIM. You say that like it's a lower bar than setting up a fixed SMTP server and using that. Besides, doesn't DKIM break on mailing lists?
-- Daniel Taylor VP Operations Vocal Laboratories, Inc dtaylor@vocalabs.com 952-941-6580x203
On 09/05/12 05:56 , Daniel Taylor wrote:
Use DKIM. You say that like it's a lower bar than setting up a fixed SMTP server and using that. Besides, doesn't DKIM break on mailing lists?
Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, like cockroaches.
On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote:
Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, like cockroaches.
This is why tcp port 25 filtering is totally effective and will remain so forever. Definitely worth breaking basic function principles of a global communications network over which trillions of dollars of commerce occur. -- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__
On Wed, Sep 5, 2012 at 11:11 AM, Izaac <izaac@setec.org> wrote:
On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote:
Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, like cockroaches.
This is why tcp port 25 filtering is totally effective and will remain so forever. Definitely worth breaking basic function principles of a global communications network over which trillions of dollars of commerce occur.
-- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__
But as someone pointed out further back on this thread people who want to have their mail servers available to people who are on the other side of port 25 filtering just use the alternate ports. So then what does filtering port 25 accomplish? Greg
On Sep 5, 2012, at 11:46, Greg Ihnen wrote:
But as someone pointed out further back on this thread people who want to have their mail servers available to people who are on the other side of port 25 filtering just use the alternate ports. So then what does filtering port 25 accomplish?
The alternate port 587 is for users of that mail server to send mail through it, presumably authenticated, not for receipt of random mail from the internet. This allows those users to relay email through their server unaffected while behind a port 25 block. Configuring it to accept all messages on that port would defeat the purpose. --- Sean Harlow sean@seanharlow.info
On Wed, Sep 05, 2012 at 11:46:34AM -0400, Greg Ihnen wrote:
On Wed, Sep 5, 2012 at 11:11 AM, Izaac <izaac@setec.org> wrote:
On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote:
signature. They are adaptive, like cockroaches.
This is why tcp port 25 filtering is totally effective and will remain so forever. Definitely worth breaking basic function principles of a global communications network over which trillions of dollars of commerce occur.
But as someone pointed out further back on this thread people who want to have their mail servers available to people who are on the other side of port 25 filtering just use the alternate ports. So then what does filtering port 25 accomplish?
I suspect your ISP is also stripping <sarcasm> tags. Let's try it out again: You can tell that tcp port 25 filtering is a highly effective spam mitigation technique because spam levels have declined in direct proportion to their level of deployment. Today, we barely see any spam on the internet due to amazing ability of these filters to prevent bad people from sending bulk email. Was that properly marked? Or this one? Since tcp25 filtering has been so successful, we should deploy filters for everything except tcp80 and tcp443 and maaaybe tcp21 -- but NAT already does so much to enhance the user experience there already. And what with ISP customers using their provided DNS and mail service exclusively, there's no reason to permit udp53, tcp110, tcp143, tcp993, tcp995 either. Really, only evil people use anything but the web. Any other traffic undoubtedly a bot from which they ought to be protected. -- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__
On Sep 5, 2012, at 5:12 PM, Izaac <izaac@setec.org> wrote:
Since tcp25 filtering has been so successful, we should deploy filters for everything except tcp80 and tcp443 and maaaybe tcp21 -- but NAT already does so much to enhance the user experience there already. And what with ISP customers using their provided DNS and mail service exclusively, there's no reason to permit udp53, tcp110, tcp143, tcp993, tcp995 either. Really, only evil people use anything but the web. Any other traffic undoubtedly a bot from which they ought to be protected.
Izaac, You do realize that that the NANOG mailing is archived and some helpful person will quote you to their favorite legislator? James R. Cutler james.cutler@consultant.com
On Wed, Sep 5, 2012 at 5:12 PM, Izaac <izaac@setec.org> wrote:
I suspect your ISP is also stripping <sarcasm> tags. Let's try it out again:
You can tell that tcp port 25 filtering is a highly effective spam mitigation technique because spam levels have declined in direct proportion to their level of deployment. Today, we barely see any spam on the internet due to amazing ability of these filters to prevent bad people from sending bulk email.
Thing is, spam levels *are* down a good 20% in the last couple years, that being about the time ISPs began doing this. More, 20% *is* in rough proportion the impacted customer counts on the handful of cable and DSL providers that implemented it. And if you remind me that correlation is not causation I'll have to point out the same flaw in your more sarcastic version. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Subject: Re: The End-To-End Internet (was Re: Blocking MX query) Date: Wed, Sep 05, 2012 at 06:56:36PM -0400 Quoting William Herrin (bill@herrin.us):
Thing is, spam levels *are* down a good 20% in the last couple years, that being about the time ISPs began doing this. More, 20% *is* in rough proportion the impacted customer counts on the handful of cable and DSL providers that implemented it.
Not here. My experience is that it is at best static, but most likely increasing. Around here, the sad default is that it is impossible to buy tcp/25 access except in colos and over tunnels. It does not help. It just is a very bad precedent, it looks like you are doing something. Which for lawyers is just as fine as efficient action. We need to remind ourselves that this Internet thing got big simply because it let people have computers send packets directly to other peoples computers. There was this guy called Aesop who wrote a story about blocking traffic on the Internet, but since the Internet wasn't known at the time (too secret) he had to rephrase it so it became a story about a goose that lays golden eggs. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I HAVE to buy a new "DODGE MISER" and two dozen JORDACHE JEANS because my viewscreen is "USER-FRIENDLY"!!
On Sep 5, 2012, at 11:11, Izaac wrote:
This is why tcp port 25 filtering is totally effective and will remain so forever. Definitely worth breaking basic function principles of a global communications network over which trillions of dollars of commerce occur.
Two things to note: 1. Restricting outbound port 25 is nothing new. It's been in use since before SPF or DKIM were under development, yet it hasn't been defeated/bypassed. Henry didn't specify whether the DKIM-valid messages he received were forged or if they just came from a random spam domain. If the latter, of course that's trivial for spammers to make appear legitimate because the only goal of such systems is to verify that the sender controls or is approved by the domain the message claims to be from. 2. The reason port 25 blocks remain effective is that there really isn't a bypass. If you want to spam, at some point you must establish a TCP connection to port 25 on the destination mail server. You can either do this from your own machines (where a good hosting provider will cut you off in a hurry) or by using someone else's illegitimately. Servers tend to be located in datacenters where again a good provider will take action, so botted end-user machines are obviously a huge thing to spammers. Eliminate the ability for the majority of those bots to make said port 25 connections, you've now forced them in to a much smaller operating area where they're more likely to be found. The only "bypass" is to go back to using their own machines or compromised equipment on higher-grade connections. --- Sean Harlow sean@seanharlow.info
On 09/05/2012 07:50 AM, Henry Stryker wrote:
Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, like cockroaches.
The "I" part of DKIM is "Identified". That's all it promises. It's a feature, not a bug, that spammers use it. Mike
On 09/05/12 09:13 , Michael Thomas wrote:
The "I" part of DKIM is "Identified". That's all it promises. It's a feature, not a bug, that spammers use it.
Which is why DKIM does not really address any concerns. The spammers have reduced its value. I am retired now, but do run my own mail server from home. It is a challenge. Not all static IP's provided by ISP's are outside of "home IP groups", so you will find some of them blocked at some large domains. SPF and DKIM do help, a bit. What I have found really makes the home MTA possible are 1. a "real" static IP 2. proper DNS (A and PTR; PTR must at least exist) 3. tuning your MTA to respect the restraints of various large ISP's Lacking 1 & 2, it is just not worth the effort attempting direct delivery, if you value actual delivery of your email. I would never even attempt such from a peripatetic laptop.
In article <5047A2EA.8010307@hup.org> you write:
On 09/05/12 09:13 , Michael Thomas wrote:
The "I" part of DKIM is "Identified". That's all it promises. It's a feature, not a bug, that spammers use it.
Which is why DKIM does not really address any concerns. The spammers have reduced its value.
Nothing personal, but nobody who had the most rudimentary understanding of what DKIM does and how it's intended to be used would make such a statement. See the archives of the IETF DKIM list for much, much, much more detail. R's, John
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same?
Use DKIM. You say that like it's a lower bar than setting up a fixed SMTP server and using that.
I say it like it addresses your concern. Mike
On 09/05/2012 10:19 AM, Michael Thomas wrote:
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same?
Use DKIM. You say that like it's a lower bar than setting up a fixed SMTP server and using that.
I say it like it addresses your concern.
Well, if you've got proper forward and reverse DNS, and your portable SMTP server identifies itself properly, and you are using networks that don't filter outbound port 25, AND you have DKIM configured correctly and aren't using it for a situation for which it is inappropriate, then you'll get the same results with a portable SMTP server that you would sending through a properly configured static server. So, no, "use DKIM" does not address the delivery difficulties inherent to using a portable SMTP server. -- Daniel Taylor VP Operations Vocal Laboratories, Inc dtaylor@vocalabs.com 952-941-6580x203
On 09/05/2012 12:50 PM, Daniel Taylor wrote:
On 09/05/2012 10:19 AM, Michael Thomas wrote:
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same?
Use DKIM. You say that like it's a lower bar than setting up a fixed SMTP server and using that.
I say it like it addresses your concern.
Well, if you've got proper forward and reverse DNS, and your portable SMTP server identifies itself properly, and you are using networks that don't filter outbound port 25, AND you have DKIM configured correctly and aren't using it for a situation for which it is inappropriate, then you'll get the same results with a portable SMTP server that you would sending through a properly configured static server.
So, no, "use DKIM" does not address the delivery difficulties inherent to using a portable SMTP server.
My how the goalposts are moving. DKIM solves the problem of producing a stable identifier for a mail stream which is what your originally positioned goalposts was asking for. It also makes reverse dns lookups even more useless than they already are. Mike
On 09/05/2012 12:50 PM, Daniel Taylor wrote:
On 09/05/2012 10:19 AM, Michael Thomas wrote:
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same?
Use DKIM. You say that like it's a lower bar than setting up a fixed SMTP server and using that.
I say it like it addresses your concern.
Well, if you've got proper forward and reverse DNS, and your portable SMTP server identifies itself properly, and you are using networks that don't filter outbound port 25, AND you have DKIM configured correctly and aren't using it for a situation for which it is inappropriate, then you'll get the same results with a portable SMTP server that you would sending through a properly configured static server.
So, no, "use DKIM" does not address the delivery difficulties inherent to using a portable SMTP server.
My how the goalposts are moving. DKIM solves the problem of producing a stable identifier for a mail stream which is what your originally positioned goalposts was asking for. It also makes reverse dns lookups even more useless than they already are. "Use your MX or SPF senders as your outbound mail agent, especially if
On 09/05/2012 03:01 PM, Michael Thomas wrote: they are properly configured with full DNS records so we can tell they are the correct machines to be sending on your behalf, or expect that you will get more mail bounced and lost than the average user because you are being unpredictable and unverifiable." That you so conveniently trimmed from the post that you replied to. Just putting the goalposts back where I left them. Proper DNS configuration is essential to reliable SMTP delivery. SPF and DKIM can help ensure you don't get mistakenly tagged as a spammer, but they are no substitute for proper technical configuration of your mail server, and you don't get proper configuration if you are using other people's networks. -- Daniel Taylor VP Operations Vocal Laboratories, Inc dtaylor@vocalabs.com 952-941-6580x203
Well, if you've got proper forward and reverse DNS, and your portable SMTP server identifies itself properly, and you are using networks that don't filter outbound port 25, AND you have DKIM configured correctly and aren't using it for a situation for which it is inappropriate, then you'll get the same results with a portable SMTP server that you would sending through a properly configured static server.
Not really. Large mail system like Gmail and Yahoo have a pretty good map of the IPv4 address space. If you're sending from a residential DSL or cable modem range, they'll likely reject any mail you send directly no matter what you do. R's, John
On 05 Sep 2012 23:07:07 -0000, "John Levine" said:
Not really. Large mail system like Gmail and Yahoo have a pretty good map of the IPv4 address space. If you're sending from a residential DSL or cable modem range, they'll likely reject any mail you send directly no matter what you do.
Which is why I finally gave up and speak to an 800 pound gorilla on port 587, because nobody dares to mess with that gorilla's port 587 so my laptop can always get mail sent. :)
On Sep 5, 2012, at 19:07, John Levine wrote:
Not really. Large mail system like Gmail and Yahoo have a pretty good map of the IPv4 address space. If you're sending from a residential DSL or cable modem range, they'll likely reject any mail you send directly no matter what you do.
While I've clearly been on the side of "don't expect this to work", "why do you have your laptop set up like that?", and defending the default-blocking behavior on outbound, this is not true at least for Gmail. I have a test Asterisk box which I've been really lazy about setting up properly that successfully sends status messages from my home cable modem to my Gmail-hosted personal domain every day, even getting through with a completely bogus source address. It's never even been flagged as possible spam. Maybe Gmail does more detailed analysis of some kind and sees that I'm also checking my email from the same IP that's sending these messages, I don't know, but they are not just blocking anything coming in from a random cable IP. I'll bet it raises the "spam likelihood" or whatever as it probably should, but it's not a total block. --- Sean Harlow sean@seanharlow.info
On 9/5/12, Sean Harlow <sean@seanharlow.info> wrote:
While I've clearly been on the side of "don't expect this to work", "why do you have your laptop set up like that?", and defending the default-blocking behavior on outbound, this is not true at least for Gmail. I have a test Asterisk box which I've been really lazy about setting up properly that
I would still file it under... yes, there will probably be many mail hosts you can contact that way. It will be understandable if many block it, but they don't have to. If they give you a smart host, then you should use that. End-to-End doesn't imply control of the routing in-between smtp origin and destination. It will also be understandable if the ISP blocks outbound port 25, but they don't have to. Personally I would rather they not -- blocking port 25 doesn't make the underlying problem go away; it's just a way of "hiding the problem", so the ISP isn't pestered about it. By blocking port 25; the ISP doesn't receive a spam complaint for blocked non-legit activity, so they have fewer network abuse reports to deal with. Fewer users to turn off = fewer angered users switching to other providers (Even if turning off the user in response to spam will help the user, by alerting them to their compromised computer). End user Having to use a smart relay host increases latency and introduces a point of failure (ISP mail relay can fail or perform unacceptably even when the network has no issues). If you have the intelligence on your laptop to properly contact MX hosts; the restriction can be a hinderance, and it is difficult to justify. The ISP could block port 25 on report of abuse; but I suppose... incident handlers' time reading abuse reports = $$$ Once the large ISPs do the math, it is understandable if their ISP organizations' management eventually opts to block port 25. For the ones who didn't choose to do that; presumably sufficient users complained or they feared the competition would be strengthened or charged with their unpopular choice. My idealistic preference would be the ISP allows outbound port 25, but are highly responsive to abuse complaints; that way, the problem will be corrected, instead of festering, until some day the laptop gets plugged into some network that happens to allow the port. Or spreads the infection, because of the port 25 block, the problem goes undetected and contributes to making the overall worse. Just because a compromised host can't connect on port 25; doesn't mean it is not a significant contribution to the problem. Spreading infection via other vectors; spamming via other vectors such as IM, Forum posts, HTTP contact/feedback forms... There are plenty of abusive non port-25 activities that ultimately facilitate spamming. -- -JH
My idealistic preference would be the ISP allows outbound port 25, but are highly responsive to abuse complaints;
My idealistic preference is that ISPs not let their botted customers fill everyone's inbox with garbage. Why do you think that blocking port 25 precludes logging what they block, and dealing with customers whose traffic shows that they're botted? R's, John
participants (14)
-
Cutler James R
-
Daniel Taylor
-
Greg Ihnen
-
Henry Stryker
-
Izaac
-
Jay Ashworth
-
Jimmy Hess
-
John Levine
-
Michael Thomas
-
Måns Nilsson
-
Sean Harlow
-
Seth Mattinen
-
valdis.kletnieks@vt.edu
-
William Herrin