Re: Deny MX queries for dynamic IP pools
Dear Wael, In what way is blocking Port 25 any worse than blocking MX/root queries for clients? Both solutions neglect the fact, that spam is not a technical problem. Some ISPs think it is a good idea to forward you to a search web page, when you mispell some URL, this is done via DNS. Obviously, if the customer dislikes this, the customer will (and can) use his/her own recursor, stupidity of ISP solved - if the ISP would prevent the customer from doing this, the customer might not be a customer any longer. Just my 2 cents. -Sven On Sun, January 31, 2010 14:25, Wael Shaheen wrote: > Dear DNS Experts, > > This post is intended for discussion. > > The ISP I work for has HUGE dynamic IP pools that are full of spammers (of > course). This huge volume of spam is actually influencing the decision for > some of the international providerĀ¹s whether to give us links or not let > alone the bad reputation and RBLs listing etc... > As a solution the routing team was thinking to block port 25 for outgoing > as > some ISPs do. However, I do not see this to be a valid solution for many > reasons such as clients that have email servers outside, or if decided to > be > redirected to spam filters then that will just cost the company too much. > > Luckily we have two set of DNS server farms; one that is serving static IP > users and one that is dedicated only for dynamic IP users. The idea I have > proposed is to deny these dynamic users from performing MX queries. > > So instead of blocking port 25 we can redirect the DNS port to the DNS > farm > that is dedicated for dynamic users, that will guarantee that no standard > DNS port forwarded queries are going to external servers. Then we will > block > the MX and root queries for those dynamic clients. > That will prevent them from using a locally installed DNS service on their > machines or query MX records for targets they want to send spam to. > > Of course there will still be some challenges like if some spammers know > the > A record of the mail server they want to connect to or if they used the IP > address of the targeted mail server also if they used open dns that works > on > non-standard ports, but then again I believe these users will stand out > and > will be identified more easily. > > I would appreciate any comments you may have. > > Sincerely, > Wael > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
To me this seems to be a firewall/routing issue. If you know for sure that some IP is sending spam, if you can not stop them, then at least you can block their outgoing access to port 25. Alternatively and maybe better arrange for a proxy server to do filtering and discard spam. The proxy solution is actually used many places and works reasonably well also for non-spammers. Sven Eschenberg wrote: > Dear Wael, > > In what way is blocking Port 25 any worse than blocking MX/root queries > for clients? Both solutions neglect the fact, that spam is not a technical > problem. > Some ISPs think it is a good idea to forward you to a search web page, > when you mispell some URL, this is done via DNS. Obviously, if the > customer dislikes this, the customer will (and can) use his/her own > recursor, stupidity of ISP solved - if the ISP would prevent the customer > from doing this, the customer might not be a customer any longer. > > Just my 2 cents. > > -Sven > > > On Sun, January 31, 2010 14:25, Wael Shaheen wrote: > >> Dear DNS Experts, >> >> This post is intended for discussion. >> >> The ISP I work for has HUGE dynamic IP pools that are full of spammers (of >> course). This huge volume of spam is actually influencing the decision for >> some of the international providerĀ¹s whether to give us links or not let >> alone the bad reputation and RBLs listing etc... >> As a solution the routing team was thinking to block port 25 for outgoing >> as >> some ISPs do. However, I do not see this to be a valid solution for many >> reasons such as clients that have email servers outside, or if decided to >> be >> redirected to spam filters then that will just cost the company too much. >> >> Luckily we have two set of DNS server farms; one that is serving static IP >> users and one that is dedicated only for dynamic IP users. The idea I have >> proposed is to deny these dynamic users from performing MX queries. >> >> So instead of blocking port 25 we can redirect the DNS port to the DNS >> farm >> that is dedicated for dynamic users, that will guarantee that no standard >> DNS port forwarded queries are going to external servers. Then we will >> block >> the MX and root queries for those dynamic clients. >> That will prevent them from using a locally installed DNS service on their >> machines or query MX records for targets they want to send spam to. >> >> Of course there will still be some challenges like if some spammers know >> the >> A record of the mail server they want to connect to or if they used the IP >> address of the targeted mail server also if they used open dns that works >> on >> non-standard ports, but then again I believe these users will stand out >> and >> will be identified more easily. >> >> I would appreciate any comments you may have. >> >> Sincerely, >> Wael >> >> >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> >> > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Hi, On 1/31/10 5:17 PM, "Sven Eschenberg" wrote: > Dear Wael, > > In what way is blocking Port 25 any worse than blocking MX/root queries > for clients? Both solutions neglect the fact, that spam is not a technical > problem. This spam issue is major for DSPs and large ISPs. Their reputation is key in acquiring connections from some major international providers. This brings the issue to a very high priority for connectivity is the most important part. Blocking port 25 is much worse IMHO because it forces users out of the service, by restricting their ability to use their own mail servers that can be hosted externally. I believe good mail administrators will force SMTPS which uses a different port but then again a lot wont, and hence blocking SMTP service will deny all of these users from accessing their email servers and most of these users are not technically educated enough to find a workaround. On the other hand denying the dynamic user MX/root queries will affect users that have installed mail servers on their systems or otherwise infected and both of these scenarios are illegal for dynamically assigned IPs. > Some ISPs think it is a good idea to forward you to a search web page, > when you mispell some URL, this is done via DNS. Obviously, if the > customer dislikes this, the customer will (and can) use his/her own > recursor, We do not redirect users if they misspelled their destinations and we do not manipulate DNS replies in any way. Some users may choose to use their own installed DNS service, but then again if your service provider has a stable DNS service and a good and stable internet connection then would that overcome this disadvantage? At the end I think that something has to be sacrificed. Sincerely, Wael Shaheen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Hi, On 1/31/10 5:28 PM, "Sten Carlsen" wrote: > To me this seems to be a firewall/routing issue. If you know for sure > that some IP is sending spam, if you can not stop them, then at least > you can block their outgoing access to port 25. Most of the RBLs list dynamic IP addresses for they should not be sending emails whatsoever in most cases. Identifying the the origin of the spam in huge networks with thousands of compromised machines is not an easy task and blocking the port 25 based on that network analysis will produce false positives for these are dynamically assigned IP addresses and will change with every time the user connects. > > Alternatively and maybe better arrange for a proxy server to do > filtering and discard spam. The proxy solution is actually used many > places and works reasonably well also for non-spammers. The email proxy can work in many places but I am not sure it would in a DSP, or a big ISP. If you want to cope with the email volume that is being generated by hundreds of thousands of clients then you will need to build a monster solution. Not only that, you also may cause your users legitimate emails to be rejected or flagged as SPAM for they will be sent from a destination other than their email server. Regards, Wael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
At 05:25 31-01-10, Wael Shaheen wrote: As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Mail submission is done over port 587 and not port 25. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. That can be bypassed as you explained below. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. The idea is another variation of the walled garden. You could look into doing traffic flow analysis and using feedback reports to identify the source of the abuse. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
On Sun, Jan 31, 2010 at 8:25 AM, Wael Shaheen wrote: > As a solution the routing team was thinking to block port 25 for outgoing as > some ISPs do. However, I do not see this to be a valid solution for many > reasons such as clients that have email servers outside, or if decided to be > redirected to spam filters then that will just cost the company too much. > > Luckily we have two set of DNS server farms; one that is serving static IP > users and one that is dedicated only for dynamic IP users. The idea I have > proposed is to deny these dynamic users from performing MX queries. Perhaps you may want to join mailops or one of the other mail admin lists. IMO, this problem (reducing spam emitted from your company's network) isn't one DNS should be used to "fix". I believe that people on mail admin forums would be able to share current best current practices for ISPs/NSPs in your situation. -- HTH, YMMV, HANW :) Jason The path to enlightenment is /usr/bin/enlightenment. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
In message , Wael Shaheen writes: > Dear DNS Experts, > > This post is intended for discussion. > > The ISP I work for has HUGE dynamic IP pools that are full of spammers (of > course). This huge volume of spam is actually influencing the decision for > some of the international provider=B9s whether to give us links or not let > alone the bad reputation and RBLs listing etc... > As a solution the routing team was thinking to block port 25 for outgoing as > some ISPs do. However, I do not see this to be a valid solution for many > reasons such as clients that have email servers outside, or if decided to be > redirected to spam filters then that will just cost the company too much. > > Luckily we have two set of DNS server farms; one that is serving static IP > users and one that is dedicated only for dynamic IP users. The idea I have > proposed is to deny these dynamic users from performing MX queries. > > So instead of blocking port 25 we can redirect the DNS port to the DNS farm > that is dedicated for dynamic users, that will guarantee that no standard > DNS port forwarded queries are going to external servers. Then we will block > the MX and root queries for those dynamic clients. > That will prevent them from using a locally installed DNS service on their > machines or query MX records for targets they want to send spam to. > > Of course there will still be some challenges like if some spammers know the > A record of the mail server they want to connect to or if they used the IP > address of the targeted mail server also if they used open dns that works on > non-standard ports, but then again I believe these users will stand out and > will be identified more easily. > > I would appreciate any comments you may have. > > Sincerely, > Wael > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Firstly, cleanup / quarantine the machines that are spamming. This is the best thing you can do. A machine that is spamming is compromised and a compromised machine can do anything. Secondly, don't block the MX queries. MUAs can and do perform MX queries to check that addresses are valid before attempting to send anything. Thirdly, if you do block SMTP do it fully (traffic to and from port 25) and provide a mechanism to optout. If you publish, or provide information to those that publish, blocking lists ensure that they reflect the optout status of any IP address that has opted out. Blocking SMTP traffic is only masking the symptoms of the infection. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Firstly, I feel this really belongs on mailops not bind list :) secondly... On Mon, 2010-02-01 at 00:00 +0300, Wael Shaheen wrote: > Blocking port 25 is much worse IMHO because it forces users out of the > service, by restricting their ability to use their own mail servers that can > be hosted externally. I believe good mail administrators will force SMTPS The bigger question is why are you not blocking, suspending, or terminating the accounts of those who you know are spamming, be it deliberate, or not (as the end result is the same) Cheers ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
On 1/31/2010 4:18 PM, SM wrote: At 05:25 31-01-10, Wael Shaheen wrote: As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Mail submission is done over port 587 and not port 25. MTA-to-MTA traffic uses port 25. Also, older MUAs will still often use port 25 even for message submission, and so will spammers, if they think it will help them bypass anti-spam protections built into the MSA. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
>> At 05:25 31-01-10, Wael Shaheen wrote: >>> As a solution the routing team was thinking to block port 25 for >>> outgoing as some ISPs do. However, I do not see this to be a valid >>> solution for many reasons such as clients that have email servers >>> outside, or if decided to be redirected to spam filters then that will >>> just cost the company too much. > On 1/31/2010 4:18 PM, SM wrote: >> Mail submission is done over port 587 and not port 25. On 01.02.10 13:29, Kevin Darcy wrote: > MTA-to-MTA traffic uses port 25. > Also, older MUAs will still often use port 25 even for message > submission, and so will spammers, if they think it will help them bypass > anti-spam protections built into the MSA. those are exactly the reasons why some ISPs block port 25 access. however this is really off-topic here. and I think DNS is really bad place to solve this problem, as it is for failover switching and helping http clients to find out correct site in case of mistake. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Noel Butler wrote: > Firstly, I feel this really belongs on mailops not bind list :) > secondly... > > On Mon, 2010-02-01 at 00:00 +0300, Wael Shaheen wrote: > >> Blocking port 25 is much worse IMHO because it forces users out of the >> service, by restricting their ability to use their own mail servers that can >> be hosted externally. I believe good mail administrators will force SMTPS Blocking DNS belongs here. I don't think blocking DNS is a good idea. You are blocking access to zones using strictly internal DNS that is not published but only AXFRed and you are blocking alternative DNS. In germany alternative DNS is a must as many ISPs are stumbling over their own feet when implementing or testing censoring. Maybe some of the DNS blackouts here have been DNSSEC as well. Oh, how about DNSSEC? How do you handle signatures? And you are breaking dnsbl because dnsbl is DNS at an alternative address. So some of your clients might accidently drop all mail as spam and it takes long to find such a bug if somebody else does maintain the mailer. > > The bigger question is why are you not blocking, suspending, or > terminating the accounts of those who you know are spamming, be it > deliberate, or not (as the end result is the same) > > Cheers > > Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: pe...@peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
There have been quite some posts since my first answer to Wael. I just wanted to rephrase some stuff etc. On Tue, February 2, 2010 00:43, Peter Dambier wrote: > Noel Butler wrote: >> Firstly, I feel this really belongs on mailops not bind list :) >> secondly... >> >> On Mon, 2010-02-01 at 00:00 +0300, Wael Shaheen wrote: >> >>> Blocking port 25 is much worse IMHO because it forces users out of the >>> service, by restricting their ability to use their own mail servers >>> that can >>> be hosted externally. I believe good mail administrators will force >>> SMTPS > > Blocking DNS belongs here. > > I don't think blocking DNS is a good idea. You are blocking access to > zones using strictly internal DNS that is not published but only AXFRed > and you are blocking alternative DNS. In germany alternative DNS is a > must as many ISPs are stumbling over their own feet when implementing or > testing censoring. Maybe some of the DNS blackouts here have been DNSSEC > as well. Dear fellow pirate, the local situation in Germany might not be relevant here for Wael, esp. if he works at some ISP and there are no plans to manipulate DNS otherwise. Yet I do agree as I stated in my first post, I don't think, filtering/blocking/modifying requests in any way whatsoever is an appropriate approach to a non-technical problem (as I said before). Let it be DNS or directly blocking port 25. Here we do block port 25 within our own network - to put it in short, if a customer thinks this policiy is appropriate, let the customer deploy it, don't do the customers job and don't give the customer options of taking legal actions because you break the customers setups. > > Oh, how about DNSSEC? > > How do you handle signatures? > > And you are breaking dnsbl because dnsbl is DNS at an alternative > address. So some of your clients might accidently drop all mail > as spam and it takes long to find such a bug if somebody else > does maintain the mailer. That is indeed true, I did forget about those in my first post. That brings me back to my first argument: Don'T use technical methods for a non technical problem, there many good reasons not to do this. > >> >> The bigger question is why are you not blocking, suspending, or >> terminating the accounts of those who you know are spamming, be it >> deliberate, or not (as the end result is the same) >> >> Cheers >> >> > > Cheers > Peter and Karin > > > -- > Peter and Karin Dambier > Cesidian Root - Radice Cesidiana > Rimbacher Strasse 16 > D-69509 Moerlenbach-Bonsweiher > +49(6209)795-816 (Telekom) > +49(6252)750-308 (VoIP: sipgate.de) > mail: pe...@peter-dambier.de > http://www.peter-dambier.de/ > http://iason.site.voila.fr/ > https://sourceforge.net/projects/iason/ > ULA= fd80:4ce1:c66a::/48 > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > Now Andrew said it pretty catchy already, let me rephrase my thoughts: Why do you want to use some technical approach like filtering/blocking, to solve a social problem. You as an ISP should have an agreement/contract with your customers. It's the right place, to enforce, that customers take action against spam. If they do not comply, willingly or due to incompetence, it is at your hand, to disconnect them and terminate the agreement, if necessary. And of course you can take additional legal action when needed. This is just plain simple social engineering and imho the only valid solution. Wael, you said something about mail hosts on dynamic IP Pools being 'illegal' - If it is under your jurisdictional system, well, you already had the answer/solution, to all your problems, if not, work out an appropriate contract. Regards -Sven ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Dear All, Thank you for the valuable comments to this post. Sincerely, Wael On 2/2/10 4:26 AM, "Sven Eschenberg" wrote: > There have been quite some posts since my first answer to Wael. > I just wanted to rephrase some stuff etc. > > On Tue, February 2, 2010 00:43, Peter Dambier wrote: >> Noel Butler wrote: >>> Firstly, I feel this really belongs on mailops not bind list :) >>> secondly... >>> >>> On Mon, 2010-02-01 at 00:00 +0300, Wael Shaheen wrote: >>> Blocking port 25 is much worse IMHO because it forces users out of the service, by restricting their ability to use their own mail servers that can be hosted externally. I believe good mail administrators will force SMTPS >> >> Blocking DNS belongs here. >> >> I don't think blocking DNS is a good idea. You are blocking access to >> zones using strictly internal DNS that is not published but only AXFRed >> and you are blocking alternative DNS. In germany alternative DNS is a >> must as many ISPs are stumbling over their own feet when implementing or >> testing censoring. Maybe some of the DNS blackouts here have been DNSSEC >> as well. > > Dear fellow pirate, the local situation in Germany might not be relevant > here for Wael, esp. if he works at some ISP and there are no plans to > manipulate DNS otherwise. Yet I do agree as I stated in my first post, I > don't think, filtering/blocking/modifying requests in any way whatsoever > is an appropriate approach to a non-technical problem (as I said before). > Let it be DNS or directly blocking port 25. Here we do block port 25 > within our own network - to put it in short, if a customer thinks this > policiy is appropriate, let the customer deploy it, don't do the customers > job and don't give the customer options of taking legal actions because > you break the customers setups. > >> >> Oh, how about DNSSEC? >> >> How do you handle signatures? >> >> And you are breaking dnsbl because dnsbl is DNS at an alternative >> address. So some of your clients might accidently drop all mail >> as spam and it takes long to find such a bug if somebody else >> does maintain the mailer. > > That is indeed true, I did forget about those in my first post. That > brings me back to my first argument: Don'T use technical methods for a non > technical problem, there many good reasons not to do this. > >> >>> >>> The bigger question is why are you not blocking, suspending, or >>> terminating the accounts of those who you know are spamming, be it >>> deliberate, or not (as the end result is the same) >>> >>> Cheers >>> >>> >> >> Cheers >> Peter and Karin >> >> >> -- >> Peter and Karin Dambier >> Cesidian Root - Radice Cesidiana >> Rimbacher Strasse 16 >> D-69509 Moerlenbach-Bonsweiher >> +49(6209)795-816 (Telekom) >> +49(6252)750-308 (VoIP: sipgate.de) >> mail: pe...@peter-dambier.de >> http://www.peter-dambier.de/ >> http://iason.site.voila.fr/ >> https://sourceforge.net/projects/iason/ >> ULA= fd80:4ce1:c66a::/48 >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > Now Andrew said it pretty catchy already, let me rephrase my thoughts: Why > do you want to use some technical approach like filtering/blocking, to > solve a social problem. You as an ISP should have an agreement/contract > with your customers. It's the right place, to enforce, that customers take > action against spam. If they do not comply, willingly or due to > incompetence, it is at your hand, to disconnect them and terminate the > agreement, if necessary. And of course you can take additional legal > action when needed. This is just plain simple social engineering and imho > the only valid solution. > > Wael, you said something about mail hosts on dynamic IP Pools being > 'illegal' - If it is under your jurisdictional system, well, you already > had the answer/solution, to all your problems, if not, work out an > appropriate contract. > > Regards > > -Sven > > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
