Re: FW: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: Most DSL providers that hand out static addressing also have the means to delegate the rDNS. Sounds like it is time to get your own DNS on. They have the means (by definition). They don't have the willingness. Cheers, /Liman
Re: FW: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density. Then in all fairness block also port 80. A comparable amount of junk is sent using port 80. This can be readily determined by having customer support mail a short form with relevant questions such as Is your mail server RFC2505 compliant?, Please list the mechanism used to secure mail submission to your server?, and Are you prepared to handle SPAM reports for all email originated or relayed? No problem for someone who knows what they're doing but enough to deter the random end user. Ditto | sed -e 's/25/80/' -e 's/SMTP/HTTP/' -e 's/MIME/HTML/' :-) Cheers, /Liman
Re: FW: The worst abuse e-mail ever, sverige.net
[EMAIL PROTECTED]: Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports. I did. Reverse *what*? Just to clue you in. They used to have the only two authoritative servers for their reverse zone sitting on the same LAN with the IP#s next to each other. Then that LAN goes out (happens from time to time) ther is *NO* rDNS, with the obvious lame delegation time-outs from servers I (as a customer of theirs) try to access. (In all fairness, I just checked my facts, and it seems as they have recently improved on that situation.) Like I said, I barely trust them to move bits to my box. I don't mind at all. Get rDNS that provides a clue that you have a clue, and I'm happy as all get out to accept mail from you. Otherwise, you're functionally identical to fifty million spam zombies, as far as I have time to determine. Understand me? You're the /rare exception/. I *understand* that I'm a rare exception. The problem is that the world *won't let me* be a well functioning exception. My ISP won't let me have my own rDNS, and you won't let me use port 25 properly. Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server. With that attitude you're never going to improve things ... Cheers, /Liman
Re: FW: The worst abuse e-mail ever, sverige.net
On Thu, 23 Sep 2004, Lars-Johan Liman wrote: I *understand* that I'm a rare exception. The problem is that the world *won't let me* be a well functioning exception. Correction, the world *can't* let you be a well functioning exception. People always scream 'no censorship', but there is only that many more mail servers and preprocessing machines you can throw at a $20/month account. You don't hear me complaining the $0.50 washing powder couldn't get the motor oil out of my velvet shirt. People don't scream 'cripple ware' at the washing powder. My ISP won't let me have my own rDNS, and you won't let me use port 25 properly. And Unilever won't let me clean my shirt. Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server. With that attitude you're never going to improve things ... If you ditched your ISP for the non-service they are offering, and go to one that does allow your rDNS records, things would improve not only for you, but for the world too as this IP is losing customers and either goes away or changes their policy. the real question is, how much money is it worth it for you. But don't put to blame on us for not adding another rack of mailservers so people like you can get their mail out. Paul -- Non cogitamus, ergo nihil sumus
Re: FW: The worst abuse e-mail ever, sverige.net
The problem is that the world *won't let me* be a well functioning exception. Correction, the world *can't* let you be a well functioning exception. not true. it can but many have decided not to. randy
Re: FW: The worst abuse e-mail ever, sverige.net
On Thu, 23 Sep 2004, Randy Bush wrote: The problem is that the world *won't let me* be a well functioning exception. Correction, the world *can't* let you be a well functioning exception. not true. it can but many have decided not to. Just like I also 'chose' to not read messages tagged by software as spam. There is no choice. Paul -- Non cogitamus, ergo nihil sumus
Re: FW: The worst abuse e-mail ever, sverige.net
Lars-Johan Liman [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]: Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports. I did. Reverse *what*? I took my home ADSL to a company that delegates appropriate bits of in-addr.arpa to my servers. I suggest you might want to do the same. -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key
Re: FW: The worst abuse e-mail ever, sverige.net
on Thu, Sep 23, 2004 at 10:37:10AM +0200, Lars-Johan Liman wrote: [EMAIL PROTECTED]: Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports. I did. Reverse *what*? So explain it to them in words of two syllables or less, where possible. I recommend using I am finding a new eye ess pee. Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server. With that attitude you're never going to improve things ... /My/ attitude? You're the one giving your money to a bunch of incompetents. -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: FW: The worst abuse e-mail ever, sverige.net
I was just going to stay out of this, but I can't... Steven Champeon wrote: on Thu, Sep 23, 2004 at 10:37:10AM +0200, Lars-Johan Liman wrote: [EMAIL PROTECTED]: Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports. I did. Reverse *what*? So explain it to them in words of two syllables or less, where possible. I recommend using I am finding a new eye ess pee. There's plenty of them out there that will welcome you, as well. When I call tech support, I never get the nonsense about rebooting my machine to fix things. In fact, I usually have someone on the line who has heard of Slackware and OpenBSD. You get what you pay for. Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server. With that attitude you're never going to improve things ... /My/ attitude? You're the one giving your money to a bunch of incompetents. You know, it's just not that hard. I have what is termed Business Class SDSL, which may be pricier than the average geek wants to pay, but so what? If you want to be treated as _not one of the crowd_ of random clueless users, you need to differentiate yourself in a way that is simple for others, _not for yourself_. I have friends who have only one dedicated IP, but it's from an ISP that takes reverse seriously, and that will happily delegate to them, if desired. It isn't everyone else's responsibility to cater to you, if you can't get even the simplest stuff (rdns) fixed. Oh, and mine isn't delegated to me, but I don't worry about it, since it has a nice rdns that I'm find with (and I like the anonymity when I browse elsewhere). -- You've confused equality of opportunity for equality of outcomes, and have seriously confused justice with equality. -- Woodchuck
Re: FW: The worst abuse e-mail ever, sverige.net
I cannot agree to the block port 25 line of action. I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work. I know enough about this business to not trust my ISP with anything more than moving packets to and from my server (and even that is streching it ;-). I don't want to pay for their lousy mail service, I can do it better myself. And you don't want to let me? Now, *why* should *I* be punished because the rest of my neighbours have chosen to jump into the commercial bed of an operating system that is a walking invitation to cracking? The Internet is designed to be end-to-end. I know of ISPs that try to filter out IP telephony to force the users to use and pay for the ISP's VOIP service. Is that OK? No, I thought not. But remember - when VOIP gets deployed really wide and far (like e-mail today), you'll start to receive a lot more abusive phone calls. Why? This all boils down to cost and cost model. In the real world, the sender pays for the (paper) mail message. In the electronic world, the bigger cost is carried by the recipient. This model will break in the future. It's too d---ned cheap to send out spam, and it'll be too d---ned cheap to sell your stuff over VOIP in the future. We could fight all this, but it takes manpower and competence, and manpower and competence cost real money - money that the customer is not willing to spend ... yet. This is a market problem. It will eventually sort itself out, but stopping serious and sesnsible people from using the Internet as it is designed, is not the right way to do it. If the Internet is going to survive - the cost model has to change. Or, there's another future, where the Internet as we know it, is just a packet transport system, on which we build our own (several) virtual networks which are only reachable by the community (-ies) that we choose. Configuration nightmare. But someone will make money by providing software tools to help us make our worlds as complex as possible (see NAT in your dictionary ...) (Hmm. Maybe I should start a BGP feed that blacklists all ISPs that block port 25? Hmm. Hmm. Any takers? :-) Cheers, /Liman #-- # There are 10 kinds of people in the world. Those who understand # binary numbers, and those who don't. #-- # Lars-Johan Liman, M.Sc. ! E-mail: [EMAIL PROTECTED] # Senior Systems Specialist ! HTTP : //www.autonomica.se/ # Autonomica AB, Stockholm ! Voice : +46 8 - 615 85 72 #--
Re: FW: The worst abuse e-mail ever, sverige.net
on Wed, Sep 22, 2004 at 10:16:41AM +0200, Lars-Johan Liman wrote: I cannot agree to the block port 25 line of action. I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work. Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports. I know enough about this business to not trust my ISP with anything more than moving packets to and from my server (and even that is streching it ;-). I don't want to pay for their lousy mail service, I can do it better myself. And you don't want to let me? I don't mind at all. Get rDNS that provides a clue that you have a clue, and I'm happy as all get out to accept mail from you. Otherwise, you're functionally identical to fifty million spam zombies, as far as I have time to determine. Understand me? You're the /rare exception/. Now, *why* should *I* be punished because the rest of my neighbours have chosen to jump into the commercial bed of an operating system that is a walking invitation to cracking? Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server. snip unhelpful Internet architecture lesson -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: FW: The worst abuse e-mail ever, sverige.net
Lars-Johan Liman [EMAIL PROTECTED] writes: I cannot agree to the block port 25 line of action. I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work. ... This all boils down to cost and cost model. Yep, precisely. You're running a business/professional type of configuration on a consumer-grade circuit. Your ISP has to assume that you're Joe or Jane Luddite with an unpatched Windows PC when you buy this configuration, but your requirements are outside of the standard product definition (and best current practices) for consumer b/w. Buy an appropriate connectivity product for your home connectivity and the problems go away. Put your servers in a colo (a la http://www.vix.com/personalcolo/ ) and the problems go away. It costs more to maintain a zone file that is not created by a perl script (ie, your generic rDNS). You can expect to pay for this. Presumably as a Unix sysadmin with 15 years of experience, this is a cost you can afford/justify. ---Rob
Re: FW: The worst abuse e-mail ever, sverige.net
On Wed, 22 September 2004 10:40:30 -0400, Robert E.Seastrom wrote: [..] Buy an appropriate connectivity product for your home connectivity and the problems go away. Put your servers in a colo (a la http://www.vix.com/personalcolo/ ) and the problems go away. It costs more to maintain a zone file that is not created by a perl script (ie, your generic rDNS). You can expect to pay for this. Presumably as a Unix sysadmin with 15 years of experience, this is a cost you can afford/justify. What will that 1U server help me if I am sending stuff from my Unix box at home via SMTP to it when my IP block is in the various 'dialup' RBLs and ends up in the Received headers, so every SA on the way happily scores it rather high as these RBLs sum up. What would be gained than at the end of it? Alexander
Re: FW: The worst abuse e-mail ever, sverige.net
Alexander Koch wrote: What will that 1U server help me if I am sending stuff from my Unix box at home via SMTP to it when my IP block is in the various 'dialup' RBLs and ends up in the Received headers, so every SA on the way happily scores it rather high as these RBLs sum up. What would be gained than at the end of it? $ ssh -2 -L2525:your.mail.server:25 [EMAIL PROTECTED] srs (check my headers and tell me if you can see my home dsl ip)
RE: FW: The worst abuse e-mail ever, sverige.net
Most DSL providers that hand out static addressing also have the means to delegate the rDNS. Sounds like it is time to get your own DNS on. - Mark E. Miller ...it said: Install Windows 2000 or better...so I installed FreeBSD... PGP Key fingerprint = 4E60 8A3C ECE5 3018 474B 1D0F 9C74 6147 85FB F2F4 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars-Johan Liman Sent: Wednesday, September 22, 2004 3:17 AM To: nanog Subject: Re: FW: The worst abuse e-mail ever, sverige.net I cannot agree to the block port 25 line of action. I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work. *snip*
Re: FW: The worst abuse e-mail ever, sverige.net
Alexander Koch [EMAIL PROTECTED] writes: On Wed, 22 September 2004 10:40:30 -0400, Robert E.Seastrom wrote: [..] Buy an appropriate connectivity product for your home connectivity and the problems go away. Put your servers in a colo (a la http://www.vix.com/personalcolo/ ) and the problems go away. It costs more to maintain a zone file that is not created by a perl script (ie, your generic rDNS). You can expect to pay for this. Presumably as a Unix sysadmin with 15 years of experience, this is a cost you can afford/justify. What will that 1U server help me if I am sending stuff from my Unix box at home via SMTP to it when my IP block is in the various 'dialup' RBLs and ends up in the Received headers, so every SA on the way happily scores it rather high as these RBLs sum up. What would be gained than at the end of it? Think about what you just wrote -- if things actually worked this way, nobody who ran SpamAss would ever receive any mail. :) (if you're a conspiracy theorist or just weird, set up an ipsec, ssh, or gre tunnel and call it done). What's it buy you? Unblocked ports, control of in-addrs associated with your addresses, data center UPSes, data center cooling, (still subject to Acts of God as recent experiences in NoVA showed, but that's life), not having your *server* in a block that is identified as dialup. ---Rob
Re: FW: The worst abuse e-mail ever, sverige.net
At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote: I cannot agree to the block port 25 line of action. You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density. This can be readily determined by having customer support mail a short form with relevant questions such as Is your mail server RFC2505 compliant?, Please list the mechanism used to secure mail submission to your server?, and Are you prepared to handle SPAM reports for all email originated or relayed? No problem for someone who knows what they're doing but enough to deter the random end user. /John
Re: FW: The worst abuse e-mail ever, sverige.net
AK Date: Wed, 22 Sep 2004 16:54:20 +0200 AK From: Alexander Koch AK What will that 1U server help me if I am sending stuff from AK my Unix box at home via SMTP to it when my IP block is in AK the various 'dialup' RBLs and ends up in the Received Presumably you'd admin the 1U server, and your authenticated SMTPS traffic would be allowed despite RBL listings, yes? AK headers, so every SA on the way happily scores it rather AK high as these RBLs sum up. What would be gained than at the AK end of it? Huh?! Either you're running { UUCP | some strange multihop relaying } or I'm totally confused. You connect to your colo box directly. There are no other hops along the way. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: FW: The worst abuse e-mail ever, sverige.net
At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote: I cannot agree to the block port 25 line of action. You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density. [ we have had this discussion before. how many times are we doomed to have it? ] in the north american culture, this is usually termed guilty until proven innocent, and generally discouraged. perhaps we should not deprive the customer of rights/services until they have been shown to have abused them? lars-johan's posting was a wonderfully eloquent plea for the survival of the internet, as opposed to the walled-garden telco model. randy
Re: FW: The worst abuse e-mail ever, sverige.net
At 4:51 PM +0100 9/22/04, Randy Bush wrote: in the north american culture, this is usually termed guilty until proven innocent, and generally discouraged. perhaps we should not deprive the customer of rights/services until they have been shown to have abused them? I am *so* happy that the power grid doesn't operate this way... fuses and circuit breakers are there in your home, the pedestal, and the pole for good reason. Call your power company if you want to upgrade *and* can demonstrate appropriate certified electrical work in advance. /John
Re: FW: The worst abuse e-mail ever, sverige.net
Randy Bush [EMAIL PROTECTED] writes: reductio ad absurdum comments about American jurisprudence elided lars-johan's posting was a wonderfully eloquent plea for the survival of the internet, as opposed to the walled-garden telco model. In a vacuum, we all agree with him. He should be sending his plea to Redmond, from whence comes the vulnerable software that makes this stopgap BCP necessary. ---Rob
Re: FW: The worst abuse e-mail ever, sverige.net
On Wed, 22 Sep 2004, Lars-Johan Liman wrote: It's too d---ned cheap to send out spam, and it'll be too d---ned cheap to sell your stuff over VOIP in the future. But we've fixed that! We added a ENUM layer with DNSSEC on top of it. So now we can decide what to tell our potential callers without them being to spoof it. Like do not disturb me now Oh yeah, and we'll use the phone number as index for all this information! Now if you'll excuse me, I'll go sob in the corner over there. Paul -- Non cogitamus, ergo nihil sumus
Re: FW: The worst abuse e-mail ever, sverige.net
in the north american culture, this is usually termed guilty until proven innocent, and generally discouraged. perhaps we should not deprive the customer of rights/services until they have been shown to have abused them? I am *so* happy that the power grid doesn't operate this way... i think history has disabused the apocrypha that the telco or the power grid are so reliable randy
Re: FW: The worst abuse e-mail ever, sverige.net
On Wed, 22 Sep 2004 15:44:10 -, Edward B. Dreger said: Huh?! Either you're running { UUCP | some strange multihop relaying } or I'm totally confused. You connect to your colo box directly. There are no other hops along the way. Unless you do final delivery on that hypothetical 1U colo box (presumably to yourself and whoever else you give access to), the mail will almost certainly acquire at least 1 or 2 more Received: lines while getting to the remote site. The problem is that some tools run through *all* the Received: headers looking for borked forward/backward chains or hosts that are in a blacklist. So if they saw the dialup IP address in one of the earliest Received: lines, you'd get scored some dings on the spam-o-meter. After all, 95% of any email that ever passed through a dialup is spam, right? ;) We now return you to our regularly scheduled episode of What's wrong with this picture? pgpeTBArQN6vw.pgp Description: PGP signature
Re: FW: The worst abuse e-mail ever, sverige.net
On Wed, 22 Sep 2004, Edward B. Dreger wrote: AK headers, so every SA on the way happily scores it rather AK high as these RBLs sum up. What would be gained than at the AK end of it? Huh?! Either you're running { UUCP | some strange multihop relaying } or I'm totally confused. You connect to your colo box directly. There are no other hops along the way. Older versions of SA, especially with custom DNSBL rules, may have had this issue (applying DUL type DNSBL rules to IPs in every Received: header:) but thats been fixed for some time. Welcome to NANOST (North American Network Operaters Spam Talk). But seriously, anyone who has an interest in such issues ought to at least occasionaly read spam-l or spamtools before posting to nanog about long fixed problems in old software. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: FW: The worst abuse e-mail ever, sverige.net
Steven OK, now let's make it more in line with modern practice: Steven Say a protocol more or less completely lacked server-server Steven authentication, or a way to distinguish between client and Steven server, and that then every day, for ten years, hundreds and Steven [...] Steven after accepting the submissions, rather than rejecting at Steven submission time. Oh, and outbound connections aren't Steven expected from the vast majority of those hosts. Are you saying that since you have never had to lock your door before you shouldn't be required to install one now? Steven Yes, I think this a reasonable response to use everything at Steven our disposal to refuse the majority of the unwanted Steven submissions. Wouldn't everything at our disposal include developing and installing locks? Wouldn't that be an obvious first step? Would your first reaction to finding your house burgled be to phone all the builders of houses in your neighborhood and demanding they make it impossible for anyone else to leave their house? Steven thousands of professional criminals used weaknesses in the Steven monopoly OS to plant software completely under their control Steven on fifty million (or so) of these vulnerable hosts, For email viruses the monopoly OS is not the only cause of blame (although its manufacturer helped a lot in other ways). If one allows someone to use an MUA that executes code in Turing complete languages one has already essentially done what our hapless hypothetical sysadmin did with authenticationless SSH. The only difference is that our hypothetical sysadmin will have implemented an interactive system whereas such MUAs will have implemented a batch system with an awkward JCL called MIME. Viruses (of the email type that is) spread so easily because we have not made it clear enough that using one of these MUAs has the same security implications as letting any user start an anonymous telnet server. Yet here too all sorts of strange recommendations are made[1]. Suggestions that would never even be considered if a sysadmin was actually faced with a user running an anonymous telnet server. Suggestions which by and large avoid doing what we all would do in an instant if we were faced with this problem in its telnet guise: requiring authentication. Does your security policy allow users to implement authenticationless command servers? If not do you prohibit the batch command servers that many MUAs have become? - [1] Suggestions like we will filter mail for viruses. If an employee was running anonymous telnet at your place of business would your response be to attempt to write a filter that would delete any bad scripts? I'm pretty sure at most places the employee would be forced to stop.
The Trailing Edge (was Re: FW: The worst abuse e-mail ever, sverige.net
On Wed, 22 Sep 2004 12:52:54 EDT, Jon Lewis said: Older versions of SA, especially with custom DNSBL rules, may have had this issue (applying DUL type DNSBL rules to IPs in every Received: header:) but thats been fixed for some time. In many cases, fixed != deployed, unfortunately. And that adoption curve has got a LONG tail at the far end going to infinity, because some sites will never upgrade. Has anybody done a comparison for different instances of this same problem (for instance, rate of fixing of 69/8 filters, open SMTP relays, installing a Microsoft 'critical' software fix, patching bind/ssh/apache/whatever after a vulnerability is found), to see if the underlying curve has similar characteristics? I'm familiar with Eric Rescorla's Security Holes - Who cares? paper (http://www.rtfm.com/Upgrade-usenix.pdf) and Beattie, Arnold, Cowan, Wagle, and Wright's Timing the Application of Security Patches for Optimal Uptime from LISA XVI - any other cites, especially for those that succeed in mathematically modelling it in the real world well enough to make predictions from? pgpJkYR4E0Gba.pgp Description: PGP signature
RE: FW: The worst abuse e-mail ever, sverige.net
I don't want to add to this bash-fest, but maybe a little context and a laugh helps... the original posting sounds like utter frustration, something I'm sure a few people are familiar with if you've ever worked for a bunch of sociopathic conartists using their service provider business to steal from people in order to support their prostitution/drug/gambling habit and/or perpetuation of their cult... Like my previous employer. If you work for someone who allows you to subject sales to any sort of screening, like asking Is your mail server RFC2505 compliant?, luckily you aren't working for clowns who would sell to anyone (and actually say things like spammers are a great sales channel!), refer to themselves as pirates of telecommunications (seriously), and refuse to support any implementation of known good technical practices if it A) costs 0.01 or B) inconveniences any spammer (I mean, customer.) And the aftermath of not implementing reasonable technical practices, is of course, all your fault (like all of your superblocks being RBLed for consistently selling service to notorious spammers)... People who treat their engineers with utter disdain and contempt, as if they are just a sinkhole for their sales dollars. Luckily for me, I could just walk away and hand them my two word resignation letter (thats right: FO). Not everyone can, esp during the recession. I'm just posting this because if you have never worked in these conditions, its hard to comprehend the frustration level, I certainly didn't before experiencing it myself. And maybe we should find ways of putting scourge like this out of business. glad to be back from the dark side, working for a real company again... Kathy -Original Message- From: John Curran [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 10:37 AM To: Lars-Johan Liman Cc: nanog Subject: Re: FW: The worst abuse e-mail ever, sverige.net At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote: I cannot agree to the block port 25 line of action. You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density. This can be readily determined by having customer support mail a short form with relevant questions such as Is your mail server RFC2505 compliant?, Please list the mechanism used to secure mail submission to your server?, and Are you prepared to handle SPAM reports for all email originated or relayed? No problem for someone who knows what they're doing but enough to deter the random end user. /John
Re: FW: The worst abuse e-mail ever, sverige.net
Let's move this thread to some place where people love to talk about spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for spam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for software tools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists
Questinair about email policy records to indicate proper source of email (RE: FW: The worst abuse e-mail ever, sverige.net)
As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist. I don't particularly like situation where outside party has to guess if another ISP's address is dynamic or static and should or should not be source of email. This is not helpfull either to ISP and their customers not to those trying to filter email and guess what are good and bad ips. Lets suppose there was a standartized way that ISPs could enter in their DNS policy record that says that certain ip address is/is not used for sending email. Would you be interested in using this? If you answer yes and would like to help towards such a standard, please go through the questions I put below. Your answers will go toward a draft which has good chance of being used as part of Unified SPF. To help with creating something that will work well for ISP as well as for end-users, I'd like to receive answers from both major ISPs and smaller networks and small mail operators, but please answer in private so as not to anger moderators of this mail list. If you do want to discuss any particular details of the email policy technology, I'd request that signup for SPF discuss mail list: http://spf.pobox.com/mailinglist.html Now here are the questions, I'd like to receive feedback on: --- 1. Are you ISP? What size? a. Major ISP ( 20,000 customers) b. Small or Mid-size ISP c. End-User network customer who runs mail server. Specify if its on i. dedicated line or co-located box ii. DSL or cable (residential variety) d. End-User who does not run own mail server 2. If you're ISP are you willing to quickly deploy these records if such standard becomes available? If so how quickly can you deploy it - a. 1-6 months b. 6-12 months c. 12 months d. Would not deploy it 3. Are you willing to configure/upgrade your email server to check of these policy records and reject SMTP connection based on these records? a. Yes - will rely solely on these records b. No - will never deploy this c. Will not reject SMTP connection based solely on this record, but willing to make it part of overall email filtering system (i.e. adds points to SpamAssassin or similar) 4. Many users and even RIRs have expressed doubts about relying on IN-ADDR and said it has technical problems and/or that IN-ADDR zones are badly maintained by ISPs and that we should not rely on it. Do you agree? a. No - INADDR is well maintained by RIRs and ISPs b. Yes - INADDR is BAD and can't be fixed, we should not rely on it c. There are deployment issues with INADDR due to how ISPs use it but technically its good and we can rely on it. If you answered c: Does your ISP maintain IN-ADDR zones for all its IPs and do you quickly update it based on your customers requests? i. Yes we do. We update zones in 1 day per customer requests ii. We maintain it, but don't update it as often as it maybe needed. We're willing to make an effort and answer tech support from customers in regards to in-addr records in 24 hours or quicker (same level of support you provide for customer domains hosted on ISP dns servers). iii. We don't maintain INADDR records at all. But are willing to do it if it becomes a requirement for email 5. Would you prefer email policy records be entered in the IN-ADDR zone for each ip or would you prefer it to be entered as part of the HOST record for PTR address of the ip? a. IN-ADDR zone b. PTR HOST record c. Neither - prefer different alternative. Specify: __ Note: When thinking about this answer to #5 please also go back to question #4 and think what would be easier for you (as an ISP or end-user) to maintain and provide ability to update if you or your custoemers need to be able to update it. 6. The suggestion that has been made to allow DNS policy record for SMTP Mail server as used in EHLO to override policy record for IP as a way to get around non-cooperative or slow ISPs that don't let their customers control what record is in the INADDR zone. What do you think about this? a. No, we should not allow any other mail policy to override email record for ip b. Yes, that is ok if other policy records override ip records. c. This is ok for most cases when some other email policy record can override ip policy records, but in some cases, ISPs do need to specify records that can not be overridden. 7. For the policy record would you prefer to just say that no email is to come from the ip or would
Re: Questinair about email policy records to indicate proper source of email (RE: FW: The worst abuse e-mail ever, sverige.net)
Now here are the questions, I'd like to receive feedback on: --- 1. Are you ISP? What size? I am ISP. Well rather, I'm AN ISP. Okay, so I just operate one, but you get the gist. 2. If you're ISP are you willing to quickly deploy these records if such standard becomes available? If so how quickly can you deploy it - If you're ISP? Who's asking the questions, Ali G? 3. Are you willing to configure/upgrade your email server to check of these policy records and reject SMTP connection based on these records? No, because I already utilize multiple DNS-based blacklists which do precisely that (blocking dynamically assigned dialup/cable/DSL address pools), as part of SpamAssassin and other spam filtering mechanisms. 4. Many users and even RIRs have expressed doubts about relying on IN-ADDR and said it has technical problems and/or that IN-ADDR zones are badly maintained by ISPs and that we should not rely on it. Do you agree? No need to look at in-addr. See above. 6. The suggestion that has been made to allow DNS policy record for SMTP Mail server as used in EHLO to override policy record for IP as a way to get around non-cooperative or slow ISPs that don't let their customers control what record is in the INADDR zone. What do you think about this? Don't take it personally, but I think that's a bad idea. 7. For the policy record would you prefer to just say that no email is to come from the ip or would you prefer to be able to specify more complex record: For the policy record? Are you an officer of the court? Columbo? What record are you keeping, and for which organization(s)? Did Ray P. step down and make you the CEO of ARIN? 8. Would you like to have an option as part of policy record that can be used so that other email servers when they see SMTP connection That doesn't parse. SMTP connections? Or a SMTP connection? from certain ip would report back to you if ip is used for outgoing email connections? Yes. I'd hope IP is being used for e-mail connections. It sure beats the alternatives, such as DECNet, AppleTalk, and IPX. 9. Would you like to have an option as part of policy record that lets specify who the administrator is to contact in case Depends. Lets who specify? 12. Do you consider that these email policy records for ips would be alternative for ISP port 25 blocking or a complimentary technology that can be used together with it? No. Again, you're reinventing the wheel unnecessarily. See existing dnsbl's.
Re: The Trailing Edge (was Re: FW: The worst abuse e-mail ever, sverige.net
On Wed, 22 Sep 2004 [EMAIL PROTECTED] wrote: Has anybody done a comparison for different instances of this same problem (for instance, rate of fixing of 69/8 filters, open SMTP relays, installing a Coworkers keep breaking the SQL db access, and when I notice it broken, I fix it...but http://69box.atlantic.net/cgi-bin/bogon still lists a several hundred networks with 69/8 issues. They're still slowly getting fixed. I just found several listed IPs that are finally reachable from 69/8. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
FW: The worst abuse e-mail ever, sverige.net
On 9/21/04 1:00 PM, james edwards [EMAIL PROTECTED] wrote: Sheesh. Get over /yourself/. Your network is rude by its very existence, if it lets spammers relay crud by way of it. Your own arrogance in thinking it's not your problem to fix is astounding. I did no say it is not my problem, we have a 10 year history of being very pro-active for all abuse issues and have a dedicated staff person to deal with these issues. Slaming my mail admin because a dial up user has a virus is rude, period. Our dial up address space is listed, if people choose to block mail from that space. james To shift this to a more operational tone... Networks make choices. One choice is to declare their dynamic space and put the duty of ignoring emails from dialups users on the receiving networks. Another choice is to filter port 25. Filtering port 25 has its own costs - some users are offended/bothered by this, since they can't use their own corporate mail servers, in some cases. If a network makes the choice of putting the duty of filtering on the receiving party, they need to accept that this will upset some of those receivers. Today's security environment means that spam-sending viruses are common. The only responsible thing to do is filter port 25, smarthost for your users, and inform them about using the alternate submission port with authenticated SMTP in order to work with enterprise mail servers - or IPSec VPNs, for that matter. This is simply the best practice, at this point in time. Using humans (dedicated staff person) to stop spam isn't scalable - automated processes are sending this stuff, we need systematic ways to fight it - black/white lists, SPF, port 25 filtering, bayesian filtering and other tools. -- Daniel Golding Network and Telecommunications Strategies Burton Group
Re: FW: The worst abuse e-mail ever, sverige.net
At 01:29 PM 9/21/2004, Daniel Golding wrote: On 9/21/04 1:00 PM, james edwards [EMAIL PROTECTED] wrote: Sheesh. Get over /yourself/. Your network is rude by its very existence, if it lets spammers relay crud by way of it. Your own arrogance in thinking it's not your problem to fix is astounding. I did no say it is not my problem, we have a 10 year history of being very pro-active for all abuse issues and have a dedicated staff person to deal with these issues. Slaming my mail admin because a dial up user has a virus is rude, period. Our dial up address space is listed, if people choose to block mail from that space. james To shift this to a more operational tone... Networks make choices. One choice is to declare their dynamic space and put the duty of ignoring emails from dialups users on the receiving networks. Another choice is to filter port 25. Filtering port 25 has its own costs - some users are offended/bothered by this, since they can't use their own corporate mail servers, in some cases. If a network makes the choice of putting the duty of filtering on the receiving party, they need to accept that this will upset some of those receivers. Today's security environment means that spam-sending viruses are common. The only responsible thing to do is filter port 25, smarthost for your users, and inform them about using the alternate submission port with authenticated SMTP in order to work with enterprise mail servers - or IPSec VPNs, for that matter. This is simply the best practice, at this point in time. Using humans (dedicated staff person) to stop spam isn't scalable - automated processes are sending this stuff, we need systematic ways to fight it - black/white lists, SPF, port 25 filtering, bayesian filtering and other tools. I'd add on to this in one area. Dan's text is good as far as it goes. What I'd add is: Implement Reasonable and Easily Handled INADDR 1) By this I mean provide PTR records for all ports 2) for dialup, DSL and Cable users on dynamic ports who should not generally be running servers, name the INADDR with something like: w-x-y-z.dialup.example.net w-x-y-z.dynamic.example.net or similar. I don't care what scheme you want to use to the LEFT of 'dialup.example.com' or 'dynamic.example.com' but please put the information about these being dynamic blocks in a place where they can be filtered using simple mechanisms (i.e. without regex overheads). With the naming above, it's easy to filter out dialup.example.com in the access lists of mail servers without any worries. Users coming in from those addresses using authenticated connections to the submission port will work fine, while spam direct from those machines will not work. Many ISPs do this quite well. While it's still some work for the receiving systems vs. port 25 filtering, it sure beats guessing about remote topologies. Also note that while some large ISPs have handed out IP address ranges of dynamically assigned address in the past, telling others they can block from those addresses, this results in stale data almost instantly. Keeping this type of thing based on PTR records in DNS means the owner of that space has the job of maintaining the designations, as it should be, and avoids pushing that task onto recipients. 3) Provide proper PTR records for your business customers. A PTR record of .biz.example.net sure looks a lot more questionable than office.example.com (where example.com is a small business, let's say). 4) Think about the other guy. If you have issues identifying what to block on your inbound flows, perhaps you might think about how your naming and other policies affect how others see your outflow. Cooperation makes things better for everyone. -- - Daniel Senie [EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com
Re: FW: The worst abuse e-mail ever, sverige.net
on Tue, Sep 21, 2004 at 02:11:11PM -0400, Daniel Senie wrote: snip good info 2) for dialup, DSL and Cable users on dynamic ports who should not generally be running servers, name the INADDR with something like: w-x-y-z.dialup.example.net w-x-y-z.dynamic.example.net or similar. I don't care what scheme you want to use to the LEFT of 'dialup.example.com' or 'dynamic.example.com' but please put the information about these being dynamic blocks in a place where they can be filtered using simple mechanisms (i.e. without regex overheads). With the naming above, it's easy to filter out dialup.example.com in the access lists of mail servers without any worries. Users coming in from those addresses using authenticated connections to the submission port will work fine, while spam direct from those machines will not work. Many ISPs do this quite well. While it's still some work for the receiving systems vs. port 25 filtering, it sure beats guessing about remote topologies. FYI - I've been tracking rDNS naming conventions for many ISPs for the past year and a half. (Basically, if your network is secure, I don't know about you - I only track rDNS for hosts that relay spam or spew viruses at me). Of the approximately 4800 networks (by domain) I've tracked, 1935 are known to be in the US, Mexico, or Canada. Of those, 509 have some form of RHS-friendly rDNS. Roughly 26%. Better than last year, but still pretty bad. cgocable.ca cabletv.on.ca aci.on.ca eastlink.ca powergate.caprimus.ca sympatico.caubc.ca uoguelph.ca uniserve.ca utoronto.ca videotron.ca netidea.bc.ca ulaval.ca ualberta.ca dal.ca uottawa.ca uwo.ca connection.ca terago.ca accesscomm.ca ucc-net.ca sfu.ca yorku.ca ncf.ca rushcomm.ca eol.ca mcgill.ca oricom.ca vdn.ca amdsb.caumontreal.ca cyberus.ca knet.ca magma.camcmaster.ca usherbrooke.ca cgi.ca unb.ca sprintdsl.ca aol.com aracnet.com atlantabroadband.com attbi.com insightbb.com mchsi.com bbtel.com ccapcable.com cerfnet.com charter.com dancris.com execulink.com mindspring.com nexband.com rcn.com redshift.com ripnet.com rogers.com rr.com theplanet.com wideopenwest.comxmission.comcablenet-va.com charter-ala.com cox-internet.comquik.comgvtc.combah.com lan2wan.com westelcom.com power1.com mdsg-pacwest.com eschelon.comgvtel.com nettally.comoctapus.com firstlink.com hbci.comiinet.com naxs.com ntplx.com tfb.com srtnet.com theriver.com vcn.com visi.comwebhostplus.com winbeam.com gtlakes.com varian.com royaume.com primarydns.com netdoor.com registeredsite.com bearingpoint.comcore.com tvc-ip.com teksavvy.comopt2opt.com quiknet.com srt.com pcspeed.com cadvision.com mynethost.com 800hosting.com scrtc.com speede.com warpdriveonline.com wavecable.com lightyearcom.commidmaine.comprairieweb.com c2bandwidth.com innercite.com cintelecom.com hyperusa.com seanet.com cwia.commcttelecom.com osp-chicago.com primenet.comfire2wire.com calltech.comanobi.com telus.com hyatthsiagx.com spiritone.com aesirnetworks.com foxinternet.com willscot.comacetechusa.com aeanetwork.com alabanza.comarishost.comcalpop.com computechnv.com datapeer.comfatcow.com iwaynetworks.comlinuxwebnet.com mobilenetics.comskybitz.com tir.com unitedcolo.com zedcom.com zoolink.com crestviewcable.com mipops.com neteze.com wilnet1.com conninc.com asu.edu berkeley.edubrown.edu bucknell.educmich.edu cmu.edu colorado.educolumbia.educornell.edu csulb.edu csuohio.edu dartmouth.edu duke.edu ecu.edu fsu.edu furman.edu gac.edu gatech.edu harvard.edu hawaii.edu indiana.edu msu.edu ncsu.edunodak.edu pepperdine.edu psu.edu
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, 21 Sep 2004, Daniel Senie wrote: w-x-y-z.dialup.example.net w-x-y-z.dynamic.example.net The company I work for hand out static IP addresses to all DSL subscribers (one IP only per subscriber in all cases). Is there a BCP as to what to do with this regarding registering with RBL etc, so we won't get our entire netblock blacklisted when a single subscriber gets backdoored/trojaned/virusinfected? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote: Unless your connection is permenent, with a permanent static ip, you should not be *directly* sending out mail. The very nature of dynamic ips implies that even if a single subscriber gets infected, you have no guarantee YOU won't wind up with that ip next. As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple. Now, how do we make the world understand this? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: FW: The worst abuse e-mail ever, sverige.net
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Abrahamsson Sent: Tuesday, September 21, 2004 1:01 PM As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple. We configure our DSL customers the same way you do. Static PVC, Static IP. Each user has a static IP and in 99% of the cases, we do not assign any dynamic IPs. However, I would say that it is safe to say that the majority of the ILECs here in the US provide DSL service where the IP is dynamic. Most of the time, it doesn't change, but it is very possible that the next time that the user logs in (most are also using PPPoE for the connection setup) that the DHCP server might give them another IP. As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist. -Sean Sean P. Crandall VP Engineering Operations MegaPath Networks Inc. 6691 Owens Drive Pleasanton, CA 94588 (925) 201-2530 (office) (925) 201-2550 (fax)
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, 2004-09-21 at 13:01, Mikael Abrahamsson wrote: On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote: Unless your connection is permenent, with a permanent static ip, you should not be *directly* sending out mail. The very nature of dynamic ips implies that even if a single subscriber gets infected, you have no guarantee YOU won't wind up with that ip next. As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple. Now, how do we make the world understand this? When this customer discontinues services, would you want to reuse this address? If your network was (ab)used sending spam, then the next customer may find this address unusable and you would need to contact a few hundred blacklists in an attempt to rehabilitate the address. As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended. There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt -Doug
port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]
On Tue, 21 Sep 2004, Douglas Otis wrote: As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended. There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt We want to receive abuse email and act on them, doesn't matter if customers are infected and sending spam or if they're infected and trying to remote-exploit web-servers or windows computers or what have you. We've been considering using netflow to detect end-users doing a lot of port 25 activity towards a lot of random destinations, I find this much more net-friendly than to just block 25 and force them to use our smarthost (also stops our smarthost from being blacklisted by some overzealous blacklist-admins). Starting to block just means you will have to block more and more all the time. Port 135-139 and 445 will be practially unusable on the network for a long time (some users complain about this). I was under the impression that most blacklists would have a time-out period when there was no more activity from this certain IP, it would be removed from the blacklist. Is this not the case? Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: FW: The worst abuse e-mail ever, sverige.net
on Tue, Sep 21, 2004 at 02:04:18PM -0700, Sean Crandall wrote: We configure our DSL customers the same way you do. Static PVC, Static IP. Each user has a static IP and in 99% of the cases, we do not assign any dynamic IPs. However, I would say that it is safe to say that the majority of the ILECs here in the US provide DSL service where the IP is dynamic. Most of the time, it doesn't change, but it is very possible that the next time that the user logs in (most are also using PPPoE for the connection setup) that the DHCP server might give them another IP. As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist. Why do you assume that an IP being static, but having generic rDNS showing it to be a DSL line, automatically makes it worthy of relaying or sending mail? I certainly don't make that assumption - rather the opposite, given my experience of the past three years. In my view of the universe, IPs with generically named rDNS should never emit mail except by way of a suitably configured MTA, which ought to have non-generic rDNS, preferably of the sort 'mail.$domain' where [EMAIL PROTECTED] is a live account manned by an abuse desk, rather than a generic '1-2-3-4.assignmenttype.technologytype.bigisp.example.net', where complaints to [EMAIL PROTECTED] may or may not make any difference. In the past 60 days, we've refused mail from ip-69-33-132-156.nyc.megapath.net (claimed to be 'hal.org', and sender was a yahoo.com account) and ip-66-80-96-99.aus.megapath.net (claimed to be 'asu.edu', and sender was an asu.edu account) and ip-66-80-90-195.iad.megapath.net (claimed to be 'ccs1.clinicofcosmeticsurgery.com', sent to an inactive account) and ip-66-80-206-37.lax.megapath.net (claimed to be 'mail.totexusa.com', sent to my account - I don't know anyone at 'totexusa.com'; both messages were backscatter from a joe job) Were we wrong to do so? I don't think so. Static or dynamic, makes little difference. Today's email services require more than the current status quo. And I haven't seen any reason to adjust my policy. I'm left with the overall impression from many on this thread that in the view of many ISPs, DNSBLs have removed the ISP's burden of policing their own networks. And that's a shame. Steve PS: this message certified ad hominem free :/ -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]
On Tue, 21 Sep 2004 23:22:42 +0200, Mikael Abrahamsson said: Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds? Just because one organization with clue provides a BGP feed with the current list of bozon addresses doesn't mean there aren't still several hundred sites that are still blocking 69/8 as a bogon. Similarly for blacklists - lots of sites have their own personal list of places they really don't want to hear from. pgpT6rOqqmq7M.pgp Description: PGP signature
Re: FW: The worst abuse e-mail ever, sverige.net
On Tue, Sep 21, 2004 at 01:29:44PM -0400, Daniel Golding wrote: [snip] Another choice is to filter port 25. Filtering port 25 has its own costs - some users are offended/bothered by this, since they can't use their own corporate mail servers, in some cases. [snip] SUBMIT, SASL, etc. This is a solved problem; if MS Lookout! Virus Express! supports it, your know it isn't rocket science. SMTP 25 is for inter-server traffic. There is absolutely no reason for end-user pseudo-MTAs to use it. Some networks will enforce it. Expect that and move on. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: FW: The worst abuse e-mail ever, sverige.net
Daniel The only responsible thing to do is filter port 25, Daniel smarthost for your users, and inform them about using the Daniel alternate submission port with authenticated SMTP in order Daniel to work with enterprise mail servers - or IPSec VPNs, for Daniel that matter. This is simply the best practice, at this point Daniel in time. Using humans (dedicated staff person) to stop Daniel spam isn't scalable - automated processes are sending this Daniel stuff, we need systematic ways to fight it - black/white Daniel lists, SPF, port 25 filtering, bayesian filtering and other Daniel tools. Let's put this in perspective. Say a hypothetical sysadmin were to disable any and all authentication on his SSH server. And that someone then used SSH from your network to run code that sysadmin didn't like on that machine. Would you then consider it reasonable if the sysadmin proposed: The only responsible thing to do is filter port 22, smarthost for your users, and inform them about using the alternate submission port with authenticated SSH in order to work with enterprise SSH servers - or IPSec VPNs, for that matter. This is simply the best practice, at this point in time. For that matter would anyone take seriously someone who then proposed as a solution to the breakin[1] that: we need systematic ways to fight it - black/white lists, SSH Permitted From, port 22 filtering, bayesian filtering and other tools in order to filter out harmful commands while allowing anything else to get through without ever once suggesting enabling passwords or SSH keys? If you don't want to accept mail from anyone and everyone then make them use a password or a key to send mail to you. There are several ways to do this right now. (For example, procmail is your friend.) If you don't like something that arrives in your house figure out a way to put a lock on your door. Don't insist everyone else is at fault because they wouldn't put bars over their own. - [1] A curious term since it's hard to imagine a way to leave the door open much wider than our hapless hypothetical sysadmin has.
Re: port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]
On Tue, 2004-09-21 at 14:22, Mikael Abrahamsson wrote: On Tue, 21 Sep 2004, Douglas Otis wrote: As a prophylactic measure, Port 25 is blocked or transparently intercepted to monitor the network via error logs. For external mail submissions, Port 587 would be recommended. There is an overview of this at: http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt We want to receive abuse email and act on them, doesn't matter if customers are infected and sending spam or if they're infected and trying to remote-exploit web-servers or windows computers or what have you. We've been considering using netflow to detect end-users doing a lot of port 25 activity towards a lot of random destinations, I find this much more net-friendly than to just block 25 and force them to use our smarthost (also stops our smarthost from being blacklisted by some overzealous blacklist-admins). Cisco offers a Content Services Gateway that will allow audit of SMTP error messages as example. Just looking at user SMTP traffic will not always be a good indication something nefarious is happening. The Wack-a-Mole game that results may clobber your good customers perhaps once too often. Tracking the reply codes for things like 550,1,3 and filter for results greater than 50 or so should alert you to something bad is happening, or that they are having a hard time typing addresses. : ) Starting to block just means you will have to block more and more all the time. Port 135-139 and 445 will be practially unusable on the network for a long time (some users complain about this). I was under the impression that most blacklists would have a time-out period when there was no more activity from this certain IP, it would be removed from the blacklist. Is this not the case? Hard to know how the average black-listing service ages their data. Some IP addresses cycle over large periods of time. Some segments were so bad, a few providers enter them using BGP into a router to conserve network resources. That entry may live for decades and be very difficult to correct. Also, having hundreds of blacklists as per your email seems like a very silly idea? I can understand 3-5, but hundreds? I was not recommending that you post to blacklisting services, but rather you will end up dealing with these services in an effort to allow the address to once again reliably send mail should your customer expect that ability. -Doug
Re: FW: The worst abuse e-mail ever, sverige.net
:Let's put this in perspective. Say a hypothetical sysadmin were to :disable any and all authentication on his SSH server. And that :someone then used SSH from your network to run code that sysadmin :didn't like on that machine. Would you then consider it reasonable if :the sysadmin proposed: : : The only responsible thing to do is filter port 22, smarthost for : your users, and inform them about using the alternate submission : port with authenticated SSH in order to work with enterprise SSH : servers - or IPSec VPNs, for that matter. This is simply the best : practice, at this point in time. : Apples oranges; thanks for playing, please try again...