On 2021-07-19 at 17:27:58 UTC-0400 (Mon, 19 Jul 2021 23:27:58 +0200)
Slavko via mailop <li...@slavino.sk>
is rumored to have said:
Hi,
Dňa Sun, 18 Jul 2021 13:56:18 -0400 Bill Cole via mailop
<mailop@mailop.org> napísal:
The only usable way seems to be GoiIP blocking countries, but i
afraid that it is wrong way.
Why?
Hard to describe it in English for me, but i will try.
I consider blocking access by country as discriminating all honest
people in particular country. One can be surprised, but my long term
country stat shows, that worst countries are USA and Germany, and no,
China is even not in top 10. Yes, my stats are screwed by blocking
from
blocklist.de, which seems to catch about 50 % of abusive access and
those never reach the server, thus are missing in that stats, but
anyway... And yes, i have in my stats my own country too, while far
away from top.
I am doing no one in Europe any injury by not accepting connections to
ports 465, 587, 993, and 995 from the European networks from which I've
had authentication attacks. It isn't something the millions of innocent
honest Europeans will ever notice, because none of them have any
legitimate reason to make any sort of connection to those ports. I do
not offer anyone based in Europe or Asia or South America or Africa any
form of mail submission, POP, or IMAP service, so no one who is blocked
from those ports for essentially geographic reasons is in any way
affected by that blocking.
Second, blocking by country breaks the main Internet purpose --
connect
together the whole world.
I also do not allow the world as a whole to connect to port 22 on any of
my systems and for the very few networks that I do allow to try, I
require that they have a valid authorized SSH key for a user whose
account is enabled for login. Neither that nor my restrictions on access
to any other authenticated services impede my connectivity to the whole
world. I also don't operate any open mail relays, and that also is not
an injury to universal communication.
Finally, blocking by country seems as simplest solution. But many of
(if not all) simplest solutions are not good solutions too. They are
simple only simplest. Do one remember one of simplest solution in past
-- cut off burglar's hands? It solved nothing...
Blocking access to services that require authentication at the
network/transport layer from networks which never have been and never
will be the sources of legitimate access injures no one.
If you have no users who need to authenticate from a particular
network, there's no need to allow access from that network. If
knowing where a network is based helps you make an accurate
estimation of whether access from that network is needed, what's
wrong with that?
It is 2021 year here, people are not slaves nor vassals, they are free
to travel, they use VPSs, VPNs, proxies, etc for good purpose, not
only
to hide their abusive behaviour. I do not want to limit nor to spy
them,
especially when they are family or friends. They must be free to use
services from anywhere and does not matter, if they need this or not.
That's all quite hypothetical. As a practical matter, eliminating the
overwhelming majority of authentication attacks by wholesale blocking of
problematic networks with geography as one of many decision factors is
relatively easy to do without causing legitimate users any meaningful
problems.
On one small mail server I manage, I have 346 IPv4 networks blocked
from all ports that expose any password-based authentication, with
some of those being /6 networks.
I do not afraid to block whole network blocks (even countries), but it
must have good reason AND must be short term solution. Once again, in
most of network blocks are honest people, even clouds (VPS) are using
honest people too.
And in this specific case, there is no overlap between the good honest
people using mobile phone networks and cloud providers in China or OVH
in Europe or government systems in Brazil and the good honest people who
have reasons to use my personal mail server for initial mail submission,
POP, IMAP, or SSH. If and when there is some overlap, I'm sure the
support effort to solve the difficulty will be minimal.
Consider, why are RBLs, which block whole network blocks (and people
which use them), as often criticised not only in this list history.
Why
people complains (again not only in this list) about mail providers,
which rejects mails only due bad neighbours, etc, etc...
Irrelevant. I'm not advocating that anyone apply the same criteria to
block inbound mail (i.e. port 25) as to block access to authenticated
services. That would be silly.
Yes, one can tell that even behind one IP can be honest people too,
and
will be right. In ideal world we will able to distinguish them,
unfortunately we are living in real world, not in ideal. In ideal
world
they all will have unique IP (no IPv6 will not solve it), until this
we
have to live with this limitation, but we must do not do things even
worse...
There is no such thing as an honest person attempting to use any
authenticated service which I offer to my users on the small system I
referred to from a VPS hosted in Europe by a company that does not do
business in English. There could someday be such a thing, in theory, but
I do not live in theory. In the real world, I also manage systems with
European users, and the blocking on those systems is different from the
blocking on my personal system. However, they both won't allow logins to
IMAP or mail submission from a couple of large networks in Kazakhstan.
That is why we have SPAM checks software, brute forcing guards and
similar solutions. Their purpose is distinguish honest access from
abusive on per case base, not by its origination.
Spam detection is a totally different thing. It is extremely common for
networks or even individual IP addresses to offer a mix of "spam" and
"ham" in inbound mail (i.e. port 25 traffic, unauthenticated.) It is
uncommon for a IP address to be the source of multiple authentication
attempts against services requiring authentication without them all
being legitimate or all being illegitimate. It is even uncommon for many
addresses in one identifiable network to be a mix of good and bad
actors, when it comes to mail services requiring authentication. It is
not impossible for there to be mixed sources, it is just very rare.
Simply put: if you see bad authentication attempts from a network in a
country from which you've never had a good authentication attempt, it is
generally safe to block authentication attempts from that network
entirely. This is unrelated to whether or not you accept any particular
piece of mail from the same source network and/or country.
One again one no, simplest solutions are only rarely good solutions
at once.
(I hope, that i wrote this properly in English...)
Your English is fine. Far better than my Slovak could ever be.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
