Re: Anti-spam System Idea
Tim Thorpe wrote: Seeing as this system would directly impact network operators (the NO in naNOg) I must disagree. Go right ahead and disagree, however: http://www.nanog.org/listfaq.html If Merit's staff feels otherwise then I sincerely apologize and will of course move the discussion, I will limit the out of context chatter to a minimum however. Merit's staff DOES feel otherwise; it's just been the weekend and all, or you'd have heard from Susan by now. Oh, and PUH-LEEZE -- trim your posts. I deleted a bazillion lines of unnecessary cruft from this.
Re: Anti-spam System Idea
On Sun, 15 Feb 2004 22:00:08 CST, Stephen Sprunk said: > For those interested, the IRTF's ASRG is actively studying anti-spam > techniques and I'm sure they'd be interested in hearing all of your ideas > (after you verify they haven't been tried before). > http://www.irtf.org/charters/asrg.html Also read: http://www.rhyolite.com/anti-spam/you-might-be.html It's quite vicious but true - if you have re-invented one of the schemes mentioned in there, it probably won't be well received unless you include with it *both* of the the following: a) An indication that you've read and understood the literature describing why the idea was shot down the last time it was suggested. b) A *new* way of dealing with the issue that eliminates the difficulty. pgp0.pgp Description: PGP signature
RE: Anti-spam System Idea
Seeing as this system would directly impact network operators (the NO in naNOg) I must disagree. If Merit's staff feels otherwise then I sincerely apologize and will of course move the discussion, I will limit the out of context chatter to a minimum however. Tthorpe opusnet > -Original Message- > From: Stephen Sprunk [mailto:[EMAIL PROTECTED] > Sent: Sunday, February 15, 2004 8:00 PM > To: Tim Thorpe > Cc: North American Noise and Off-topic Gripes > Subject: Re: Anti-spam System Idea > > This topic has been consistently ruled off-topic for NANOG by > Merit's staff. > Please respect those of us who don't want to hear about spam here. > > For those interested, the IRTF's ASRG is actively studying > anti-spam techniques and I'm sure they'd be interested in > hearing all of your ideas (after you verify they haven't been > tried before). > http://www.irtf.org/charters/asrg.html > > S > > Stephen Sprunk"Stupid people surround themselves with smart > CCIE #3723 people. Smart people surround themselves with > K5SSS smart people who disagree with them." --Aaron Sorkin > - Original Message - > From: "Tim Thorpe" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, 14 February, 2004 02:30 > Subject: Anti-spam System Idea > > > > > > I wanted to run this past you to see what you thought of it > and get some > > feedback on pro's and cons of this type of system. > > > > I have been thinking recently about the ever increasing > amount of spam > that > > is flooding the internet, clogging mail servers, and in > general pissing us > > all off. > > > > I think it time to do something about it. very few systems > are effective > at > > blocking spam at the server level, and the ones that exist > have a less > then > > stellar reputation and are not very effective on top of that. > > > > 95% of spam comes through relays and its headers are forged > tracking an > > E-mail back that you've received is becoming next to > impossible, its also > > very time consuming and why waste your time on scumbags? > > > > my idea; > > a DC network that actively scans for active relays and > tests them, it > > compiles a list on a daily basis of compromised IP > addresses (or even > > addresses that are willingly allowing the relay) making > this list freely > > available to ISPs via a secure and tracked site. > > > > to test a relay you actually have to send mail through it, I have a > solution > > for this as well, the clients are set to e-mail a certain > address that > > changes daily the E-mails are signed with a crypto key to verify > > authenticity (that way spammers can't abuse the address if > it doesn't have > > the key, it get canned) > > > > work with ISP's to correct issues on their network help > completely black > > list IP's from their network that are operating as an open relay and > > redirect to a page that alerts them of the compromise and > solutions to fix > > the problem. the only way people are going to become aware > of security > > issues such as this is if something happens that wakes them > up, if they > > can't access a % of the web it would hopefully clue them in. > > > > because these scans only need to take place once per IP per > day and over a > > large distribution of computers performing the tests, I > don't see network > > load becoming a big issue, no bigger then it currently is. > > > > the only way to fight spammers is to squeeze them out of hiding, and > that's > > what I hope this system would be designed to do. > > > > I do not have the coding knowledge to do this I will need > coders, I do > have > > the PR skills to work with ISPs. I am also working with my > congresswoman > to > > pave the way for legal clearance for this program. > > > > I would greatly appreciate your input on this and anything > I may have > > overlooked. I would also like to know if this would be a DC > program you > > would run. > > > > a lot of people argue the practical application of DC. > although we know > > differently this project would show them what DC can do for > them and wake > > them up to perhaps other DC projects. > > > > >
Re: Anti-spam System Idea
This topic has been consistently ruled off-topic for NANOG by Merit's staff. Please respect those of us who don't want to hear about spam here. For those interested, the IRTF's ASRG is actively studying anti-spam techniques and I'm sure they'd be interested in hearing all of your ideas (after you verify they haven't been tried before). http://www.irtf.org/charters/asrg.html S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin - Original Message - From: "Tim Thorpe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, 14 February, 2004 02:30 Subject: Anti-spam System Idea > > I wanted to run this past you to see what you thought of it and get some > feedback on pro's and cons of this type of system. > > I have been thinking recently about the ever increasing amount of spam that > is flooding the internet, clogging mail servers, and in general pissing us > all off. > > I think it time to do something about it. very few systems are effective at > blocking spam at the server level, and the ones that exist have a less then > stellar reputation and are not very effective on top of that. > > 95% of spam comes through relays and its headers are forged tracking an > E-mail back that you've received is becoming next to impossible, its also > very time consuming and why waste your time on scumbags? > > my idea; > a DC network that actively scans for active relays and tests them, it > compiles a list on a daily basis of compromised IP addresses (or even > addresses that are willingly allowing the relay) making this list freely > available to ISPs via a secure and tracked site. > > to test a relay you actually have to send mail through it, I have a solution > for this as well, the clients are set to e-mail a certain address that > changes daily the E-mails are signed with a crypto key to verify > authenticity (that way spammers can't abuse the address if it doesn't have > the key, it get canned) > > work with ISP's to correct issues on their network help completely black > list IP's from their network that are operating as an open relay and > redirect to a page that alerts them of the compromise and solutions to fix > the problem. the only way people are going to become aware of security > issues such as this is if something happens that wakes them up, if they > can't access a % of the web it would hopefully clue them in. > > because these scans only need to take place once per IP per day and over a > large distribution of computers performing the tests, I don't see network > load becoming a big issue, no bigger then it currently is. > > the only way to fight spammers is to squeeze them out of hiding, and that's > what I hope this system would be designed to do. > > I do not have the coding knowledge to do this I will need coders, I do have > the PR skills to work with ISPs. I am also working with my congresswoman to > pave the way for legal clearance for this program. > > I would greatly appreciate your input on this and anything I may have > overlooked. I would also like to know if this would be a DC program you > would run. > > a lot of people argue the practical application of DC. although we know > differently this project would show them what DC can do for them and wake > them up to perhaps other DC projects. > >
Re: Anti-spam System Idea
On Sun, 15 Feb 2004, Sean Donelan wrote: > "Most" ISPs prohibit any type of server on a DHCP connection? > > Some cable providers do this due to some limitations in their network > architecture, but I would be surprised if "most" (i.e. more than 50%) ISPs > prohibit servers. Why do you think DynDNS type services are so popular? > So people can run servers on DHCP addresses. Peer-to-Peer is a very > popular server used on mostly dynamic addresses. Just because they're using our services doesn't mean their AUP doesn't say they're not supposed to. Charter and Comcast, two pretty good-sized cable MSOs, at least up here in the northeast, both prohibit not only any type of server, but the connection of any LAN/WAN that they don't operate. I'm pretty sure Verizon DSL prohibits any servers, though I don't think they explicitly ban LANs. (I guess that means I've violated the AUP of every provider I've used at home. Whoops.) Forget about servers being prohibited, their AUPs even prohibit the use of those ever-so-popular NAT routers Linksys, D-Link, Netgear, and friends like to spew out. Does that stop people from buying and using them, though? Hell no. I think the statement that most ISPs, oriented towards home use, anyway, prohibit servers is accurate. However, it isn't necessarily /relevant/, because I don't think many of them actively enforce that policy. Tim Wilde -- Tim Wilde [EMAIL PROTECTED] Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Re: Anti-spam System Idea
I have a different idea about how spam could be dealt with, which I have yet to see proposed or discussed on Nanog. Everything suggested is always a technical patch trying to deal with the fact that spammers can make a lot of money. And, regardless of the patch you apply, they will find a way around it because the financial incentive is big enough. It seems to me that if a spammer has a network of 10,000 trojaned broadband connected computers at his disposal to send spam, its not much use if no one wants to pay him to do this. So, instead of focusing on the spammer focus on the spamme'rs customer. Place the cost of spam mitigation on them, pass legislation that makes them liable if their product or service is advertised by spam. This should generate some freedom of speech flames. :-) _ Choose now from 4 levels of MSN Hotmail Extra Storage - no more account overload! http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/
Re: Anti-spam System Idea
On Sun, 15 Feb 2004, Jon R. Kibler wrote: > OK, I was sloppy in my wording... I should have said that we block > published dynamic netblks, including dial, cable, xDSL, and wireless. > That still catches something less than 5% of spam originating from DHCP > connections. Then it sounds like you have an incomplete list of dynamic network blocks. Why do you think you will be any more successfull convincing more than 5% of ISPs to block ports, when you haven't been successfull convincing them to give you more than 5% of their dynamic address ranges? > Also, most ISPs (at least that serve the SE U.S.) AUP prohibit the > running of any type of server on a DHCP connection. I know of at least > one that regularly drop service to any system found running web, mail, > IRC, proxy, ftp, telnet, or any of a dozen other different servers on > any DHCP connection. "Most" ISPs prohibit any type of server on a DHCP connection? Some cable providers do this due to some limitations in their network architecture, but I would be surprised if "most" (i.e. more than 50%) ISPs prohibit servers. Why do you think DynDNS type services are so popular? So people can run servers on DHCP addresses. Peer-to-Peer is a very popular server used on mostly dynamic addresses. Do you really want a read-only Internet, where only the Fortune 1000 are permitted to operate servers and everyone else must be a client? > > Blocking port 25 blocks the ability of all MTA's to send any type of mail. > > "Non-legitimate" is a determination best made by the two parties involved > > in the communication. > > Why should hundreds of thousands of MTAs each have to make the > determination that a given system wishing to make a connection is > running spamware on a hacked system when that user's ISP could simply > block that user and save everyone else the grief? How should an ISP decide whether or not it is "legitimate" for the user to run an MTA? If they pay an extra $10 a month, they can legitimately run a server? Or are you are proposing blocking all access, regardless of its legitimacy? The fact of the matter is system admins need to protect their own systems because you never know if the remote system making the connection has been hacked regardless how the IP address was assigned. Blocking dynamic IP addresses doesn't make you safer if you fail to protect your own computers. > To me, the approach you advocate is something like saying "do away with > any centralized law enforcement, force everyone to carry guns, and if > anyone suspects that someone else is committing a crime, they are > obliged to shoot them." I believe that blocking spam at its source is > far easier than blocking it at every possible destination. The less > parties involved in blocking the spam, the higher the probability that > the spam will be successfully blocked. In reality there are fewer destinations than sources. Then let's centralize it completely. The FCC will license ISPs and set the regulations they must enforce. Ma Bell will be reformed as the single telecommunications provider. Everyone must use the MTA's operated by Ma Bell. Will that stop spam?
Re: Anti-spam System Idea
On Sun, 15 Feb 2004, Jon R. Kibler wrote: > > To me, the approach you advocate is something like saying "do away with any > centralized > law enforcement, force everyone to carry guns, and if anyone suspects that someone > else is committing a crime, they are obliged to shoot them." I believe that blocking So, what Sean is proposing, and what you accurately describe (mostly) here is how the Internet is intended to be run... Minus the 'and the people running the systems should be "smart" or "careful" or "considerate"' of course. There was never any central control/enforcement for the Internet, and time and again Governments have been shown that its next to impossible to BE that central enforcer... With the exception, possibly, of China though one could successfully argue that their firewall isn't working so well if hundreds of thousands of hosts on their networks can get compromised and flood out spoofed ip datagrams, eh?
Re: Anti-spam System Idea
[EMAIL PROTECTED] wrote: > > On Sun, 15 Feb 2004 [EMAIL PROTECTED] wrote: > > > If we block outbound port 25 SYN packets from origin addresses in the DHCP > > address blocks, we solve the problem for everybody. EXACTLY correct! > > No...you just speed up the migration (which has already begun) to spam > proxies that use the local ISP's mail servers as smart hosts. Then you > have to come up with a way to rate-limit customer outbound SMTP traffic. > I agree that proxies that use the local ISP's mail servers as smart hosts is a growing problem. However, it is a problem that is far more manageable than is our current situation. First, if spam is forced through a centralized set of outgoing servers, and these servers do adequate logging, then a compromised system can be detected in a matter of minutes and blocked. Next, requiring users to use SMTP AUTH to authenticate to the mail server, even when on the ISP's network, would throw another hurdle into the spammer's ability to access the ISP's mail server, and thus block the ability of spamware to route mail in this manner. Ultimately, if all local networks, including ISP customers, would require that MUAs submit mail through MSAs (instead of through MTAs), and require that the MUAs use StartTLS to connect to the MSA, it would become very difficult for spammers to hijack an ISP's MTA. (Yes, this means that ISPs will have to run their own PKI, but I can easily see the day where this will be SOP.) Bottom line... I believe that it such easier to control spammer traffic routed through central mail servers, than it is to control spammers using thousands of hijacked systems that have their own SMTP engines dumping mail onto the net. -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: Anti-spam System Idea
Sean Donelan wrote: > > On Sun, 15 Feb 2004, Jon R. Kibler wrote: > > We block known dialup netblks. Catches < 5% of spam. Why? Because the real > > culprits are xDSL, CABLE and other systems with broadband connections. These > > account for about 80% of the spam attempts we observe. > > Why don't you block "known" dynamic netblks, including xDSL, Cable, and > other broadband connections using dynamic addresses such as WiFi in > Starbucks? Most of the existing public DUL's include dynamic IP addresses > from all network technologies, not just dialup. OK, I was sloppy in my wording... I should have said that we block published dynamic netblks, including dial, cable, xDSL, and wireless. That still catches something less than 5% of spam originating from DHCP connections. Also, most ISPs (at least that serve the SE U.S.) AUP prohibit the running of any type of server on a DHCP connection. I know of at least one that regularly drop service to any system found running web, mail, IRC, proxy, ftp, telnet, or any of a dozen other different servers on any DHCP connection. > Blocking port 25 blocks the ability of all MTA's to send any type of mail. > "Non-legitimate" is a determination best made by the two parties involved > in the communication. Why should hundreds of thousands of MTAs each have to make the determination that a given system wishing to make a connection is running spamware on a hacked system when that user's ISP could simply block that user and save everyone else the grief? To me, the approach you advocate is something like saying "do away with any centralized law enforcement, force everyone to carry guns, and if anyone suspects that someone else is committing a crime, they are obliged to shoot them." I believe that blocking spam at its source is far easier than blocking it at every possible destination. The less parties involved in blocking the spam, the higher the probability that the spam will be successfully blocked. -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: Anti-spam System Idea
On Sun, 15 Feb 2004, Jon R. Kibler wrote: > > DialUp Lists (DUL) dns block lists permits you to ignore e-mail from > > many dynamic IP addresses. You can configure your mail server to do this > > today without waiting for ISPs to do anything. > > > > Like most other "simple" solutions, how effective is it? > > We block known dialup netblks. Catches < 5% of spam. Why? Because the real > culprits are xDSL, CABLE and other systems with broadband connections. These > account for about 80% of the spam attempts we observe. Why don't you block "known" dynamic netblks, including xDSL, Cable, and other broadband connections using dynamic addresses such as WiFi in Starbucks? Most of the existing public DUL's include dynamic IP addresses from all network technologies, not just dialup. > The idea here is not just to prevent the receipt of spam (which is what > DNSBLs can accomplish), rather, it is to prevent the generation of spam > that is accounting for such a growing amount of everyone's network traffic. All mail traffic (legitimate and illegitimate) is a very small percentage of network traffic. Besides, connections blocked at receipt use a very small amount of bandwidth. When the ISP blocks the traffic, you loose the capability to make an exception when you decide. > If you block the ability of non-legitimate MTAs (such as open proxies and > spamiruses) to send spam, you reduce the network bandwidth waste that spam > is consuming. (As a side effect, you would also reduce the spread of viruses > by email.) Blocking port 25 blocks the ability of all MTA's to send any type of mail. "Non-legitimate" is a determination best made by the two parties involved in the communication.
Identifying IP address types
On Sun, 15 Feb 2004 [EMAIL PROTECTED] wrote: > On Sun, 15 Feb 2004 17:46:05 EST, Sean Donelan said: > > What if I told you about a method to identify the type of connection for > > every IP address in our DNS? You don't need to rely on third-party DUL > > lists. > > Hmm.. color me dubious, but keep talking. Best bet here would probably be > some interesting abuse of PTR records? You wouldn't be too far off. It depends on whether you consider the ISP a cooperative partner or a hostile participant. Not only are 3rd party block lists often out-of-date and difficult to update, the public has a hard time understanding the difference between an ISP voluntarily listing their IP addresses in a DUL list and being labelled a "spam haven" because their IP addresses are in a block list. If you assume the ISP wants to help (which you also have to assume for a port 25 blocks to work), how can an ISP provide first-party information about the status of an IP address on demand to anyone? My idea is to follow the RFC1101 example. PTR records already have other uses and requirements. So I suggest using another record type which doesn't have a current meaning in the reverse DNS. Instead use something like a HINFO record. 1.0.168.192.in-addr.arpain ptr some1.example.net in hinfo Dynamic Dialup 2.0.168.192.in-addr.arpain ptr some2.example.net in hinfo Static xDSL The ISP (or really the network administrator for the network block) is in the best position to know how the IP addresses are managed. The netadmin can keep the HINFO records up to date, or correct the record if they are incorrect. You don't need to guess which DUL maintainer contains records for various networks or worry about a DOS attacks on a few DNS servers affecting mail service globally. You always query the network administrator's DNS servers when you receive a connection from an IP address for information about that IP address.
Re: Anti-spam System Idea
Sean Donelan wrote: > DialUp Lists (DUL) dns block lists permits you to ignore e-mail from > many dynamic IP addresses. You can configure your mail server to do this > today without waiting for ISPs to do anything. > > Like most other "simple" solutions, how effective is it? We block known dialup netblks. Catches < 5% of spam. Why? Because the real culprits are xDSL, CABLE and other systems with broadband connections. These account for about 80% of the spam attempts we observe. The idea here is not just to prevent the receipt of spam (which is what DNSBLs can accomplish), rather, it is to prevent the generation of spam that is accounting for such a growing amount of everyone's network traffic. If you block the ability of non-legitimate MTAs (such as open proxies and spamiruses) to send spam, you reduce the network bandwidth waste that spam is consuming. (As a side effect, you would also reduce the spread of viruses by email.) -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: Anti-spam System Idea
On Sun, 15 Feb 2004 17:46:05 EST, Sean Donelan said: > What if I told you about a method to identify the type of connection for > every IP address in our DNS? You don't need to rely on third-party DUL > lists. Hmm.. color me dubious, but keep talking. Best bet here would probably be some interesting abuse of PTR records? pgp0.pgp Description: PGP signature
Re: Anti-spam System Idea
On Sun, 15 Feb 2004 [EMAIL PROTECTED] wrote: > > DialUp Lists (DUL) dns block lists permits you to ignore e-mail from > > many dynamic IP addresses. You can configure your mail server to do this > > today without waiting for ISPs to do anything. > > If we advertise the DHCP pools for AS1312 in a DUL, we solve the problem for > those sites that use the DUL we list them in. What if I told you about a method to identify the type of connection for every IP address in our DNS? You don't need to rely on third-party DUL lists. Blocking is a binary decision. Instead if you have better information about the connection source, you can make different decisions how to handle the message. > If we block outbound port 25 SYN packets from origin addresses in the DHCP > address blocks, we solve the problem for everybody. Including the people who don't want you to solve it for them. People want to use outbound port 25 from dynamic address blocks. Why block it between people who want to use it just because some people want to have open servers? Block 119, you must use your ISPs NNTP server. Block 6667, you must use your ISPs IRC server Block 80, you must use your ISPs HTTP proxy. Block N, you must use your ISPs whatever server. Enterprises already do this, the equipment exists. Why do we want ISPs doing this?
Re: Anti-spam System Idea
On Sun, 15 Feb 2004 [EMAIL PROTECTED] wrote: > If we advertise the DHCP pools for AS1312 in a DUL, we solve the problem for > those sites that use the DUL we list them in. > > If we block outbound port 25 SYN packets from origin addresses in the DHCP > address blocks, we solve the problem for everybody. No...you just speed up the migration (which has already begun) to spam proxies that use the local ISP's mail servers as smart hosts. Then you have to come up with a way to rate-limit customer outbound SMTP traffic. BTW...who brought SARS (or more likely just flu) to nanog30? I drove (so I didn't catch it on the plane) and symptoms (sore throat, congestion, very high fever) started thursday. I've spent most of the weekend in bed waiting to die. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Open, anonymous services and dealing with abuse
On Fri, 13 Feb 2004, Rob Pickering wrote: > --On 13 February 2004 09:27 -0500 [EMAIL PROTECTED] wrote: > > Y-Haw! A return to the Old West of bangbaths and pathalias. > > > > No thanks. > > That's absolutely the issue with emerging resignation to "e-mail > peering" and the like being the only solution to the spam problem. The unfortunate fact is lots of people like to operate open, anonymous services and then expect other people to clean up after them. Why don't IRC operators require authentication of their users? ISPs should block 6667 Why don't SMTP operators require authentication of their users? ISPs should block 25 Why don't NETBIOS operators require authentication of their users? ISPs should block 135, 137-139, 445 Why don't P2P operators require authentication of their users? ISPs should block everything
Re: Anti-spam System Idea
On Sun, 15 Feb 2004 16:40:40 EST, Sean Donelan said: > DialUp Lists (DUL) dns block lists permits you to ignore e-mail from > many dynamic IP addresses. You can configure your mail server to do this > today without waiting for ISPs to do anything. If we advertise the DHCP pools for AS1312 in a DUL, we solve the problem for those sites that use the DUL we list them in. If we block outbound port 25 SYN packets from origin addresses in the DHCP address blocks, we solve the problem for everybody. pgp0.pgp Description: PGP signature
Re: Anti-spam System Idea
On Sun, 15 Feb 2004, Jon R. Kibler wrote: > We find that at least 85% of all spam originates from DHCP addresses. Thus, if > a significant number of ISPs would perform port 25 egress filtering, I believe > that it would significantly reduce spam, and force criminal spammers to develop > completely new spamming technologies. DialUp Lists (DUL) dns block lists permits you to ignore e-mail from many dynamic IP addresses. You can configure your mail server to do this today without waiting for ISPs to do anything. Like most other "simple" solutions, how effective is it?
Re: Anti-spam System Idea
[EMAIL PROTECTED] wrote: > > On Sat, 14 Feb 2004, Tim Thorpe wrote: > > > If these exist then why are we still having problems? > > Because the spammers are creating proxies faster than any of the anti-spam > people can find them. Evidence suggests, at least on the order of 10,000 > new spam proxies are created and used every day by spackers > (spammer/hackers). > > The relative insecurity of windows and ignorance of the average internet > user has created an incredibly target rich environment for the spackers. > > > Why do we let customers who have been infected flood the networks with > > traffic as they do? Should they not also be responsible for the security > > of their computers? Do we not do enough to educate? > > Economics, and convenience outweighing security. We're big, and slow to > change. They're small and mobile. > The Internet's spam load could be easily cut by 50% or more. All it would take is the cooperation of most major ISPs and academic institutions. As this discussion thread has indicated, most spam originates from systems infected with spamiruses or open proxy servers. How to shut down all such malware? Simple: Apply egress filtering ACLs to all border routers to prohibit outgoing port 25 connections from DHCP addresses. We find that at least 85% of all spam originates from DHCP addresses. Thus, if a significant number of ISPs would perform port 25 egress filtering, I believe that it would significantly reduce spam, and force criminal spammers to develop completely new spamming technologies. If ISPs were to go further, and require their customers with static IPs to perform port 25 egress filtering, blocking such connections from all systems except for the customer's legitimate MTA, we could virtually eliminate spam originating from hijacked systems. OK, I can hear the objections now... ACLs slow down our routers and thus reduce through-put. Well, that may be true in the purest sense of the argument, but can you demonstrate that a few ACLs will have a SIGNIFICANT impact on through-put? I would be willing to bet that any through-put reduction caused by ACLs, in the long run, would be more than compensated for by the corresponding reduction in spam traffic passing through the router. Also, if filtering was to occur at the point closest to the source, rather than at an aggregation point, the impact of any ACLs would be distributed across the network in such a manner as to probably have no observable impact on network through-put. (If anyone has any hard statistics on ACL impact on network through-put, I would sure like to see those studies!) Just my $0.02 worth... Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
power outage in LA?
I just lost an upstream provider and they tell me there's a power outage in LA - anyone have any info on that? -- matthew zeier - "Nothing in life is to be feared. It is only to be understood." - Marie Curie
Re: BGP - weight
SH> Date: Sun, 15 Feb 2004 16:50:02 + SH> From: Sven Huster [ editted and reformatted for clarity ] SH> The core sends to R1, which believes the best path is via R2 SH> and sends it back to the core as that's the only way to reach SH> R2. Then the core again sends it to R1 and all the same SH> again. Yuck. SH> As this is a small network internally everything is routed SH> via static routes. Except for the smallest of networks, I try to avoid static routes. It's additional work and opportunity for error. Using BGP + TCP MD5 auth, OSPF auth, hardcoded ARP entries, per-port MAC address restrictions, prefix lists, route maps, etc., one can run a dynamic network and still keep security under control. SH> R1 and R2 have full BGP views from the transit providers as SH> well as partial view from the peers. Why not arrange the routers and switch in a single VLAN? (Or did I misunderstand your earlier ASCII-art diagram?) I usually use something like: 10.0.0.1/32 local sinkhole 10.0.0.2/28 virtual router (HSRP/VRRP; maybe XRRP now) 10.0.0.3/28 physical router #1 10.0.0.4/28 physical router #2 : : : : : : : 10.0.0.13/28 [routing] switch #2 10.0.0.14/28 [routing] switch #1 Let R1, R2, and R3 speak directly over ethernet without routing through core. If they already do, verify that you're setting nexthop correctly. Multihop routing sessions often can be made to work, but they're a tricky "house of cards". Remember, classic IP routing forwards to a { MAC addr | PVC | endpoint } based on destination IP addr. You can't do fancy rewriting at each hop; that's part of why PBR and label switching were invented. ;-) Note: I am _not_ suggesting PBR for this situation. SH> They [R1 and R2] run iBGP with R3 and the core. You have a partial mesh in which R1 and R2 do not exchange routes with each other? EBD> router bgp EBD> [no] bgp bestpath compare-routerid SH> All devices use the default settings in this respect. SH> R1-3 are Cisco routers, the core Extreme Alpine. Somewhere along the line Cisco changed the default from "bgp bestpath compare-routerid" to the converse. I forget when, although a quick Google search leads me to believe it was around 12.0/12.0S/12.0ST. I can't comment on Extreme. Again, though, I'm going out on a limb with this one. I'd bet on static routes, topology, and [lack of] IGP before BGP path selection algorithm. SH> It seems to be a temp problem, which we just figured out once Odd. SH> it went away based on netflow data and traffic dumps. So there SH> is no data available for this right now. If you catch any non-traceroute packets with expiring TTL, see if you can grab routing info from all the boxes involved. I'm confused how these devices are building their RIBs... Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: BGP - weight
On Sun, Feb 15, 2004 at 04:47:30AM +, E.B. Dreger wrote: > > SH> Date: Sat, 14 Feb 2004 18:00:51 + > SH> From: Sven Huster > > > SH> The thing that happend was that the core believed that the > SH> best path out is via R1, which R1 thought it was via R2. So a > SH> little loop there. > > So core sends to R1, which sends to R2... where does R2 send the > packets? Back to R1? The core sends to R1, which believes the best path is via R2 and sends it back to the core as that's the only way to reach R2. Then the core again sends it to R1 and all the same again. > > What are you doing in your IGP? Are you using { iBGP | OSPF | > IS-IS | ... }? How does R1 learn routes from Transit2? As this is a small network internally everything is routed via static routes. R1 and R2 have full BGP views from the transit providers as well as partial view from the peers. They run iBGP with R3 and the core. > What about confederations? Used correctly, they're helpful. > Used incorrectly in similar scenarios, an iBGP mesh becomes a > constantly-oscillating iBGP mess. > > Are you using either > > router bgp >bgp bestpath compare-routerid > > or > > router bgp >no bgp bestpath compare-routerid > > on all routers? I'm wondering if R1 prefers Transit2 and R2 > prefers Transit1 due to different path selection algorithms... All devices use the default settings in this respect. R1-3 are Cisco routers, the core Extreme Alpine. > > Can you "sh route" or "sh ip bgp" for a route that loops? > It seems to be a temp problem, which we just figured out once it went away based on netflow data and traffic dumps. So there is no data available for this right now. Sven
Re: Anti-spam System Idea
On Sat, 14 Feb 2004 18:24:17 PST, Tim Thorpe <[EMAIL PROTECTED]> said: > > Getting a bit long, I like it :D. > > What would be a netops general response to scans of this nature? What's *your* netop's response to all the idiot-with-firewalls replies to your scan? Then go and read http://www.viacorp.com/auditing.html, and remember that the people mentioned in "they're hre..." are still out there pgp0.pgp Description: PGP signature