Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
  Most DSL providers that hand out static addressing also have the means
 to delegate the rDNS. Sounds like it is time to get your own DNS on.

They have the means (by definition). They don't have the willingness.

Cheers,
  /Liman

Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
 You block port 25 until a customer says that they're claim to have
 setup a responsible mail submission agent and demonstrate the
 necessary clue density.

Then in all fairness block also port 80. A comparable amount of junk
is sent using port 80.

 This can be readily determined by having customer support mail
 a short form with relevant questions such as Is your mail server
 RFC2505 compliant?, Please list the mechanism used to secure
 mail submission to your server?, and Are you prepared to handle
 SPAM reports for all email originated or relayed?   No problem for
 someone who knows what they're doing but enough to deter the
 random end user.

Ditto  | sed  -e 's/25/80/' -e 's/SMTP/HTTP/' -e 's/MIME/HTML/'

:-)

Cheers,
  /Liman

Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

[EMAIL PROTECTED]:
 Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
 where to send the abuse reports.

I did.

Reverse *what*?

Just to clue you in. They used to have the only two authoritative
servers for their reverse zone sitting on the same LAN with the IP#s
next to each other. Then that LAN goes out (happens from time to time)
ther is *NO* rDNS, with the obvious lame delegation time-outs from
servers I (as a customer of theirs) try to access. (In all fairness,
I just checked my facts, and it seems as they have recently improved
on that situation.)

Like I said, I barely trust them to move bits to my box.

 I don't mind at all. Get rDNS that provides a clue that you have a clue,
 and I'm happy as all get out to accept mail from you. Otherwise, you're
 functionally identical to fifty million spam zombies, as far as I have
 time to determine.

 Understand me? You're the /rare exception/.

I *understand* that I'm a rare exception.

The problem is that the world *won't let me* be a well functioning
exception. My ISP won't let me have my own rDNS, and you won't let
me use port 25 properly.

 Because that's how things are today. You're a 1-in-50-million chance,
 as far as I can tell from my mail server.

With that attitude you're never going to improve things ...

Cheers,
  /Liman

Re: FW: The worst abuse e-mail ever, sverige.net

[Paul Wouters]

On Thu, 23 Sep 2004, Lars-Johan Liman wrote:
I *understand* that I'm a rare exception.
The problem is that the world *won't let me* be a well functioning
exception.
Correction, the world *can't* let you be a well functioning
exception.
People always scream 'no censorship', but there is only that many more
mail servers and preprocessing machines you can throw at a $20/month
account.
You don't hear me complaining the $0.50 washing powder couldn't get
the motor oil out of my velvet shirt. People don't scream 'cripple ware'
at the washing powder.
My ISP won't let me have my own rDNS, and you won't let
me use port 25 properly.
And Unilever won't let me clean my shirt.
Because that's how things are today. You're a 1-in-50-million chance,
as far as I can tell from my mail server.
With that attitude you're never going to improve things ...
If you ditched your ISP for the non-service they are offering, and go
to one that does allow your rDNS records, things would improve not
only for you, but for the world too as this IP is losing customers and
either goes away or changes their policy.
the real question is, how much money is it worth it for you. But don't
put to blame on us for not adding another rack of mailservers so people
like you can get their mail out.
Paul
--
Non cogitamus, ergo nihil sumus

Re: FW: The worst abuse e-mail ever, sverige.net

[Randy Bush]

 The problem is that the world *won't let me* be a well functioning
 exception.
 Correction, the world *can't* let you be a well functioning exception.

not true.  it can but many have decided not to.

randy

Re: FW: The worst abuse e-mail ever, sverige.net

[Paul Wouters]

On Thu, 23 Sep 2004, Randy Bush wrote:
The problem is that the world *won't let me* be a well functioning
exception.
Correction, the world *can't* let you be a well functioning exception.
not true.  it can but many have decided not to.
Just like I also 'chose' to not read messages tagged by software as spam.
There is no choice.
Paul
--
Non cogitamus, ergo nihil sumus

Re: FW: The worst abuse e-mail ever, sverige.net

[Peter Corlett]

Lars-Johan Liman [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED]:
 Congrats. Ask your ISP for non-generic rDNS, in your domain, so I
 know where to send the abuse reports.
 I did. Reverse *what*?

I took my home ADSL to a company that delegates appropriate bits of
in-addr.arpa to my servers. I suggest you might want to do the same.

-- 
PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key

Re: FW: The worst abuse e-mail ever, sverige.net

[Steven Champeon]

on Thu, Sep 23, 2004 at 10:37:10AM +0200, Lars-Johan Liman wrote:
 
 [EMAIL PROTECTED]:
  Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
  where to send the abuse reports.
 
 I did.
 
 Reverse *what*?

So explain it to them in words of two syllables or less, where possible.
I recommend using I am finding a new eye ess pee.
 
  Because that's how things are today. You're a 1-in-50-million chance,
  as far as I can tell from my mail server.
 
 With that attitude you're never going to improve things ...

/My/ attitude? You're the one giving your money to a bunch of incompetents.

-- 
join us!   http://hesketh.com/about/careers/web_designer.html   join us! 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.htmljoin us!

Re: FW: The worst abuse e-mail ever, sverige.net

[Etaoin Shrdlu]

I was just going to stay out of this, but I can't...
Steven Champeon wrote:
on Thu, Sep 23, 2004 at 10:37:10AM +0200, Lars-Johan Liman wrote:
 

[EMAIL PROTECTED]:
   

Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
where to send the abuse reports.
 

I did.
Reverse *what*?
   

So explain it to them in words of two syllables or less, where possible.
I recommend using I am finding a new eye ess pee.
 

There's plenty of them out there that will welcome you, as well. When I 
call tech support, I never get the nonsense about rebooting my machine 
to fix things. In fact, I usually have someone on the line who has heard 
of Slackware and OpenBSD. You get what you pay for.

Because that's how things are today. You're a 1-in-50-million chance,
as far as I can tell from my mail server.
 

With that attitude you're never going to improve things ...
   

/My/ attitude? You're the one giving your money to a bunch of incompetents.
You know, it's just not that hard. I have what is termed Business 
Class SDSL, which may be pricier than the average geek wants to pay, 
but so what? If you want to be treated as _not one of the crowd_ of 
random clueless users, you need to differentiate yourself in a way that 
is simple for others, _not for yourself_. I have friends who have only 
one dedicated IP, but it's from an ISP that takes reverse seriously, and 
that will happily delegate to them, if desired.

It isn't everyone else's responsibility to cater to you, if you can't 
get even the simplest stuff (rdns) fixed. Oh, and mine isn't delegated 
to me, but I don't worry about it, since it has a nice rdns that I'm 
find with (and I like the anonymity when I browse elsewhere).

--
You've confused equality of opportunity for equality of outcomes,
and have seriously confused justice with equality.
   -- Woodchuck

Re: FW: The worst abuse e-mail ever, sverige.net

[Lars-Johan Liman]

I cannot agree to the block port 25 line of action.

I am a Unix sysadmin, with 15 years of experience as sendmail and DNS
expert. I have a DSL line at home, with static IP, and generic rDNS
provided by my ISP. Behind it I have a serious Unix server, configured
to roughly the same standard that I use at work.
 
I know enough about this business to not trust my ISP with anything
more than moving packets to and from my server (and even that is
streching it ;-). I don't want to pay for their lousy mail service,
I can do it better myself.

And you don't want to let me?

Now, *why* should *I* be punished because the rest of my neighbours
have chosen to jump into the commercial bed of an operating system
that is a walking invitation to cracking?

The Internet is designed to be end-to-end.

I know of ISPs that try to filter out IP telephony to force the users
to use and pay for the ISP's VOIP service. Is that OK?  No, I thought
not. But remember - when VOIP gets deployed really wide and far (like
e-mail today), you'll start to receive a lot more abusive phone
calls. Why?

This all boils down to cost and cost model. In the real world, the
sender pays for the (paper) mail message. In the electronic world,
the bigger cost is carried by the recipient. This model will break in
the future.

It's too d---ned cheap to send out spam, and it'll be too d---ned
cheap to sell your stuff over VOIP in the future.

We could fight all this, but it takes manpower and competence, and
manpower and competence cost real money - money that the customer is
not willing to spend ... yet.

This is a market problem. It will eventually sort itself out, but
stopping serious and sesnsible people from using the Internet as it is
designed, is not the right way to do it. If the Internet is going to
survive - the cost model has to change. Or, there's another future,
where the Internet as we know it, is just a packet transport system,
on which we build our own (several) virtual networks which are only
reachable by the community (-ies) that we choose. Configuration
nightmare. But someone will make money by providing software tools to
help us make our worlds as complex as possible (see NAT in your
dictionary ...)

(Hmm. Maybe I should start a BGP feed that blacklists all ISPs that
block port 25? Hmm. Hmm. Any takers? :-)

Cheers,
  /Liman
#--
# There are 10 kinds of people in the world. Those who understand
# binary numbers, and those who don't.
#--
# Lars-Johan Liman, M.Sc.   ! E-mail: [EMAIL PROTECTED]
# Senior Systems Specialist ! HTTP  : //www.autonomica.se/
# Autonomica AB, Stockholm  ! Voice : +46 8 - 615 85 72
#--

Re: FW: The worst abuse e-mail ever, sverige.net

[Steven Champeon]

on Wed, Sep 22, 2004 at 10:16:41AM +0200, Lars-Johan Liman wrote:
 
 I cannot agree to the block port 25 line of action.
 
 I am a Unix sysadmin, with 15 years of experience as sendmail and DNS
 expert. I have a DSL line at home, with static IP, and generic rDNS
 provided by my ISP. Behind it I have a serious Unix server, configured
 to roughly the same standard that I use at work.

Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
where to send the abuse reports.
  
 I know enough about this business to not trust my ISP with anything
 more than moving packets to and from my server (and even that is
 streching it ;-). I don't want to pay for their lousy mail service,
 I can do it better myself.
 
 And you don't want to let me?

I don't mind at all. Get rDNS that provides a clue that you have a clue,
and I'm happy as all get out to accept mail from you. Otherwise, you're
functionally identical to fifty million spam zombies, as far as I have
time to determine.

Understand me? You're the /rare exception/.
 
 Now, *why* should *I* be punished because the rest of my neighbours
 have chosen to jump into the commercial bed of an operating system
 that is a walking invitation to cracking?

Because that's how things are today. You're a 1-in-50-million chance,
as far as I can tell from my mail server.
 
snip unhelpful Internet architecture lesson

-- 
join us!   http://hesketh.com/about/careers/web_designer.html   join us! 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.htmljoin us!

Re: FW: The worst abuse e-mail ever, sverige.net

[Robert E . Seastrom]

Lars-Johan Liman [EMAIL PROTECTED] writes:

 I cannot agree to the block port 25 line of action.

 I am a Unix sysadmin, with 15 years of experience as sendmail and DNS
 expert. I have a DSL line at home, with static IP, and generic rDNS
 provided by my ISP. Behind it I have a serious Unix server, configured
 to roughly the same standard that I use at work.
 ...
 This all boils down to cost and cost model.

Yep, precisely.  You're running a business/professional type of
configuration on a consumer-grade circuit.  Your ISP has to assume
that you're Joe or Jane Luddite with an unpatched Windows PC when you
buy this configuration, but your requirements are outside of the
standard product definition (and best current practices) for consumer
b/w.

Buy an appropriate connectivity product for your home connectivity and
the problems go away.  Put your servers in a colo (a la
http://www.vix.com/personalcolo/ ) and the problems go away.  It costs
more to maintain a zone file that is not created by a perl script (ie,
your generic rDNS).  You can expect to pay for this.  Presumably as a
Unix sysadmin with 15 years of experience, this is a cost you can
afford/justify.

---Rob

Re: FW: The worst abuse e-mail ever, sverige.net

[Alexander Koch]

On Wed, 22 September 2004 10:40:30 -0400, Robert E.Seastrom wrote:
[..]
 Buy an appropriate connectivity product for your home connectivity and
 the problems go away.  Put your servers in a colo (a la
 http://www.vix.com/personalcolo/ ) and the problems go away.  It costs
 more to maintain a zone file that is not created by a perl script (ie,
 your generic rDNS).  You can expect to pay for this.  Presumably as a
 Unix sysadmin with 15 years of experience, this is a cost you can
 afford/justify.

What will that 1U server help me if I am sending stuff from
my Unix box at home via SMTP to it when my IP block is in
the various 'dialup' RBLs and ends up in the Received
headers, so every SA on the way happily scores it rather
high as these RBLs sum up. What would be gained than at the
end of it?

Alexander

Re: FW: The worst abuse e-mail ever, sverige.net

[Suresh Ramasubramanian]

Alexander Koch wrote:
What will that 1U server help me if I am sending stuff from
my Unix box at home via SMTP to it when my IP block is in
the various 'dialup' RBLs and ends up in the Received
headers, so every SA on the way happily scores it rather
high as these RBLs sum up. What would be gained than at the
end of it?
$ ssh -2 -L2525:your.mail.server:25 [EMAIL PROTECTED]
	srs (check my headers and tell me if you can see my home dsl ip)

RE: FW: The worst abuse e-mail ever, sverige.net

[Miller, Mark]

 Most DSL providers that hand out static addressing also have the means
to delegate the rDNS. Sounds like it is time to get your own DNS on.




- Mark E. Miller


...it said: Install Windows 2000 or better...so I installed FreeBSD...

PGP Key fingerprint = 4E60 8A3C ECE5 3018 474B 1D0F 9C74 6147 85FB F2F4









-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Lars-Johan Liman
Sent: Wednesday, September 22, 2004 3:17 AM
To: nanog
Subject: Re: FW: The worst abuse e-mail ever, sverige.net



I cannot agree to the block port 25 line of action.

I am a Unix sysadmin, with 15 years of experience as sendmail and DNS
expert. I have a DSL line at home, with static IP, and generic rDNS
provided by my ISP. Behind it I have a serious Unix server, configured
to roughly the same standard that I use at work.
 
*snip*

Re: FW: The worst abuse e-mail ever, sverige.net

[Robert E . Seastrom]

Alexander Koch [EMAIL PROTECTED] writes:

 On Wed, 22 September 2004 10:40:30 -0400, Robert E.Seastrom wrote:
 [..]
 Buy an appropriate connectivity product for your home connectivity and
 the problems go away.  Put your servers in a colo (a la
 http://www.vix.com/personalcolo/ ) and the problems go away.  It costs
 more to maintain a zone file that is not created by a perl script (ie,
 your generic rDNS).  You can expect to pay for this.  Presumably as a
 Unix sysadmin with 15 years of experience, this is a cost you can
 afford/justify.

 What will that 1U server help me if I am sending stuff from
 my Unix box at home via SMTP to it when my IP block is in
 the various 'dialup' RBLs and ends up in the Received
 headers, so every SA on the way happily scores it rather
 high as these RBLs sum up. What would be gained than at the
 end of it?

Think about what you just wrote -- if things actually worked this way,
nobody who ran SpamAss would ever receive any mail.  :)

(if you're a conspiracy theorist or just weird, set up an ipsec, ssh,
or gre tunnel and call it done).

What's it buy you?  Unblocked ports, control of in-addrs associated
with your addresses, data center UPSes, data center cooling, (still
subject to Acts of God as recent experiences in NoVA showed, but
that's life), not having your *server* in a block that is identified
as dialup.

---Rob

Re: FW: The worst abuse e-mail ever, sverige.net

[John Curran]

At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote:
I cannot agree to the block port 25 line of action.

You block port 25 until a customer says that they're claim to have
setup a responsible mail submission agent and demonstrate the
necessary clue density.

This can be readily determined by having customer support mail
a short form with relevant questions such as Is your mail server
RFC2505 compliant?, Please list the mechanism used to secure
mail submission to your server?, and Are you prepared to handle
SPAM reports for all email originated or relayed?   No problem for
someone who knows what they're doing but enough to deter the
random end user.

/John

Re: FW: The worst abuse e-mail ever, sverige.net

[Edward B. Dreger]

AK Date: Wed, 22 Sep 2004 16:54:20 +0200
AK From: Alexander Koch

AK What will that 1U server help me if I am sending stuff from
AK my Unix box at home via SMTP to it when my IP block is in
AK the various 'dialup' RBLs and ends up in the Received

Presumably you'd admin the 1U server, and your authenticated
SMTPS traffic would be allowed despite RBL listings, yes?


AK headers, so every SA on the way happily scores it rather
AK high as these RBLs sum up. What would be gained than at the
AK end of it?

Huh?!  Either you're running { UUCP | some strange multihop
relaying } or I'm totally confused.  You connect to your colo box
directly.  There are no other hops along the way.


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman  Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
DO NOT send mail to the following addresses:
[EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.

Re: FW: The worst abuse e-mail ever, sverige.net

[Randy Bush]

 At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote:
 I cannot agree to the block port 25 line of action.
 
 You block port 25 until a customer says that they're claim to have
 setup a responsible mail submission agent and demonstrate the
 necessary clue density.

[ we have had this discussion before.  how many times are we doomed
  to have it? ]

in the north american culture, this is usually termed guilty
until proven innocent, and generally discouraged.  perhaps we
should not deprive the customer of rights/services until they
have been shown to have abused them?

lars-johan's posting was a wonderfully eloquent plea for the
survival of the internet, as opposed to the walled-garden telco
model.

randy

Re: FW: The worst abuse e-mail ever, sverige.net

[John Curran]

At 4:51 PM +0100 9/22/04, Randy Bush wrote:

in the north american culture, this is usually termed guilty
until proven innocent, and generally discouraged.  perhaps we
should not deprive the customer of rights/services until they
have been shown to have abused them?

I am *so* happy that the power grid doesn't operate this way...
fuses and circuit breakers are there in your home, the pedestal,
and the pole for good reason.   Call your power company if you
want to upgrade *and* can demonstrate appropriate certified
electrical work in advance.

/John

Re: FW: The worst abuse e-mail ever, sverige.net

[Robert E . Seastrom]

Randy Bush [EMAIL PROTECTED] writes:

reductio ad absurdum comments about American jurisprudence elided

 lars-johan's posting was a wonderfully eloquent plea for the
 survival of the internet, as opposed to the walled-garden telco
 model.

In a vacuum, we all agree with him.  He should be sending his plea to
Redmond, from whence comes the vulnerable software that makes this
stopgap BCP necessary.

---Rob

Re: FW: The worst abuse e-mail ever, sverige.net

[Paul Wouters]

On Wed, 22 Sep 2004, Lars-Johan Liman wrote:
It's too d---ned cheap to send out spam, and it'll be too d---ned
cheap to sell your stuff over VOIP in the future.
But we've fixed that! We added a ENUM layer with DNSSEC on top of it.
So now we can decide what to tell our potential callers without them
being to spoof it. Like do not disturb me now
Oh yeah, and we'll use the phone number as index for all this information!
Now if you'll excuse me, I'll go sob in the corner over there.
Paul
--
Non cogitamus, ergo nihil sumus

Re: FW: The worst abuse e-mail ever, sverige.net

[Randy Bush]

 in the north american culture, this is usually termed guilty
 until proven innocent, and generally discouraged.  perhaps we
 should not deprive the customer of rights/services until they
 have been shown to have abused them?
 
 I am *so* happy that the power grid doesn't operate this way...

i think history has disabused the apocrypha that the telco or the
power grid are so reliable

randy

Re: FW: The worst abuse e-mail ever, sverige.net

[Valdis . Kletnieks]

On Wed, 22 Sep 2004 15:44:10 -, Edward B. Dreger said:

 Huh?!  Either you're running { UUCP | some strange multihop
 relaying } or I'm totally confused.  You connect to your colo box
 directly.  There are no other hops along the way.

Unless you do final delivery on that hypothetical 1U colo box (presumably to
yourself and whoever else you give access to), the mail will almost certainly
acquire at least 1 or 2 more Received: lines while getting to the remote site.

The problem is that some tools run through *all* the Received: headers looking
for borked forward/backward chains or  hosts that are in a blacklist. So if
they saw the dialup IP address in one of the earliest Received: lines, you'd
get scored some dings on the spam-o-meter. After all, 95% of any email that
ever passed through a dialup is spam, right? ;)

We now return you to our regularly scheduled episode of What's wrong with this
picture?



pgpeTBArQN6vw.pgp
Description: PGP signature

Re: FW: The worst abuse e-mail ever, sverige.net

[Jon Lewis]

On Wed, 22 Sep 2004, Edward B. Dreger wrote:

 AK headers, so every SA on the way happily scores it rather
 AK high as these RBLs sum up. What would be gained than at the
 AK end of it?

 Huh?!  Either you're running { UUCP | some strange multihop
 relaying } or I'm totally confused.  You connect to your colo box
 directly.  There are no other hops along the way.

Older versions of SA, especially with custom DNSBL rules, may have had
this issue (applying DUL type DNSBL rules to IPs in every Received:
header:) but thats been fixed for some time.

Welcome to NANOST (North American Network Operaters Spam Talk).  But
seriously, anyone who has an interest in such issues ought to at least
occasionaly read spam-l or spamtools before posting to nanog about long
fixed problems in old software.

--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: FW: The worst abuse e-mail ever, sverige.net

[Allan Poindexter]

  Steven OK, now let's make it more in line with modern practice:

  Steven Say a protocol more or less completely lacked server-server
  Steven authentication, or a way to distinguish between client and
  Steven server, and that then every day, for ten years, hundreds and
  Steven [...]
  Steven after accepting the submissions, rather than rejecting at
  Steven submission time. Oh, and outbound connections aren't
  Steven expected from the vast majority of those hosts.

Are you saying that since you have never had to lock your door before
you shouldn't be required to install one now?

  Steven Yes, I think this a reasonable response to use everything at
  Steven our disposal to refuse the majority of the unwanted
  Steven submissions.

Wouldn't everything at our disposal include developing and
installing locks?  Wouldn't that be an obvious first step?  Would your
first reaction to finding your house burgled be to phone all the
builders of houses in your neighborhood and demanding they make it
impossible for anyone else to leave their house?
 
  Steven thousands of professional criminals used weaknesses in the
  Steven monopoly OS to plant software completely under their control
  Steven on fifty million (or so) of these vulnerable hosts,

For email viruses the monopoly OS is not the only cause of blame
(although its manufacturer helped a lot in other ways).  If one allows
someone to use an MUA that executes code in Turing complete languages
one has already essentially done what our hapless hypothetical
sysadmin did with authenticationless SSH.  The only difference is that
our hypothetical sysadmin will have implemented an interactive system
whereas such MUAs will have implemented a batch system with an awkward
JCL called MIME.  Viruses (of the email type that is) spread so easily
because we have not made it clear enough that using one of these MUAs
has the same security implications as letting any user start an
anonymous telnet server.

Yet here too all sorts of strange recommendations are made[1].
Suggestions that would never even be considered if a sysadmin was
actually faced with a user running an anonymous telnet server.
Suggestions which by and large avoid doing what we all would do in an
instant if we were faced with this problem in its telnet guise:
requiring authentication.  Does your security policy allow users to
implement authenticationless command servers?  If not do you prohibit
the batch command servers that many MUAs have become?

-
[1] Suggestions like we will filter mail for viruses.  If an
employee was running anonymous telnet at your place of business would
your response be to attempt to write a filter that would delete any
bad scripts?  I'm pretty sure at most places the employee would be
forced to stop.

The Trailing Edge (was Re: FW: The worst abuse e-mail ever, sverige.net

[Valdis . Kletnieks]

On Wed, 22 Sep 2004 12:52:54 EDT, Jon Lewis said:

 Older versions of SA, especially with custom DNSBL rules, may have had
 this issue (applying DUL type DNSBL rules to IPs in every Received:
 header:) but thats been fixed for some time.

In many cases, fixed != deployed, unfortunately.  And that adoption
curve has got a LONG tail at the far end going to infinity, because some
sites will never upgrade.

Has anybody done a comparison for different instances of this same problem
(for instance, rate of fixing of 69/8 filters, open SMTP relays, installing a
Microsoft 'critical' software fix, patching bind/ssh/apache/whatever
after a vulnerability is found), to see if the underlying curve has similar
characteristics?

I'm familiar with Eric Rescorla's Security Holes - Who cares?
paper (http://www.rtfm.com/Upgrade-usenix.pdf) and Beattie, Arnold,
Cowan, Wagle, and Wright's Timing the Application of Security Patches
for Optimal Uptime from LISA XVI - any other cites, especially for those
that succeed in mathematically modelling it in the real world well enough to
make predictions from?


pgpJkYR4E0Gba.pgp
Description: PGP signature

RE: FW: The worst abuse e-mail ever, sverige.net

[Kathryn Kessey]

I don't want to add to this bash-fest, but maybe a little context and a laugh helps... 
the original posting sounds like utter frustration, something I'm sure a few people 
are familiar with if you've ever worked for a bunch of sociopathic conartists using 
their service provider business to steal from people in order to support their 
prostitution/drug/gambling habit and/or perpetuation of their cult... Like my previous 
employer.  If you work for someone who allows you to subject sales to any sort of 
screening, like asking Is your mail server RFC2505 compliant?, luckily you aren't 
working for clowns who would sell to anyone (and actually say things like spammers 
are a great sales channel!), refer to themselves as pirates of telecommunications 
(seriously), and refuse to support any implementation of known good technical 
practices if it A) costs  0.01 or B) inconveniences any spammer (I mean, customer.)  
And the aftermath of not implementing reasonable technical practices, is of course, 
all your fault (like all of your superblocks being RBLed for consistently selling 
service to notorious spammers)... People who treat their engineers with utter disdain 
and contempt, as if they are just a sinkhole for their sales dollars.

Luckily for me, I could just walk away and hand them my two word resignation letter 
(thats right:  FO).  Not everyone can, esp during the recession.  I'm just posting 
this because if you have never worked in these conditions, its hard to comprehend the 
frustration level, I certainly didn't before experiencing it myself.  And maybe we 
should find ways of putting scourge like this out of business.

glad to be back from the dark side, working for a real company again...

Kathy



-Original Message-
From: John Curran [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 22, 2004 10:37 AM
To: Lars-Johan Liman
Cc: nanog
Subject: Re: FW: The worst abuse e-mail ever, sverige.net



At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote:
I cannot agree to the block port 25 line of action.

You block port 25 until a customer says that they're claim to have
setup a responsible mail submission agent and demonstrate the
necessary clue density.

This can be readily determined by having customer support mail
a short form with relevant questions such as Is your mail server
RFC2505 compliant?, Please list the mechanism used to secure
mail submission to your server?, and Are you prepared to handle
SPAM reports for all email originated or relayed?   No problem for
someone who knows what they're doing but enough to deter the
random end user.

/John

Re: FW: The worst abuse e-mail ever, sverige.net

[Susan Harris]

Let's move this thread to some place where people love to talk about spam:

  http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for
   spam prevention and discussion
  http://www.abuse.net/spamtools.html -- spam tools list for software
   tools that detect spam
  net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists

Questinair about email policy records to indicate proper source of email (RE: FW: The worst abuse e-mail ever, sverige.net)

[william(at)elan.net]

 As such, when we have seen our IP blocks get blocked strictly because of
 the rDNS entry having 'dsl' in it, a simple email to the admins
 explaining that we are not providing dynamic services has gotten our
 rDNS entries taken off of the blacklist.

I don't particularly like situation where outside party has to guess if 
another ISP's address is dynamic or static and should or should not be 
source of email. This is not helpfull either to ISP and their customers
not to those trying to filter email and guess what are good and bad ips.

Lets suppose there was a standartized way that ISPs could enter in 
their DNS policy record that says that certain ip address is/is not used
for sending email. Would you be interested in using this?

If you answer yes and would like to help towards such a standard, please
go through the questions I put below. Your answers will go toward a draft 
which has good chance of being used as part of Unified SPF. To help with 
creating something that will work well for ISP as well as for end-users, 
I'd like to receive answers from both major ISPs and smaller networks and
small mail operators, but please answer in private so as not to anger
moderators of this mail list. 

If you do want to discuss any particular details of the email policy 
technology, I'd request that signup for SPF discuss mail list:
http://spf.pobox.com/mailinglist.html

Now here are the questions, I'd like to receive feedback on:
---

1. Are you ISP? What size?
a. Major ISP ( 20,000 customers)
b. Small or Mid-size ISP
c. End-User network customer who runs mail server. Specify if its on
i. dedicated line or co-located box
ii. DSL or cable (residential variety)
d. End-User who does not run own mail server

2. If you're ISP are you willing to quickly deploy these records if such 
   standard becomes available? If so how quickly can you deploy it -
a. 1-6 months
b. 6-12 months
c.  12 months
d. Would not deploy it

3. Are you willing to configure/upgrade your email server to check of 
   these policy records and reject SMTP connection based on these records?
a. Yes - will rely solely on these records
b. No - will never deploy this
c. Will not reject SMTP connection based solely on this record, but 
   willing to make it part of overall email filtering system
   (i.e. adds points to SpamAssassin or similar)

4. Many users and even RIRs have expressed doubts about relying on IN-ADDR
   and said it has technical problems and/or that IN-ADDR zones are badly 
   maintained by ISPs and that we should not rely on it. Do you agree?
a. No - INADDR is well maintained by RIRs and ISPs
b. Yes - INADDR is BAD and can't be fixed, we should not rely on it
c. There are deployment issues with INADDR due to how ISPs use it
   but technically its good and we can rely on it.
   If you answered c:
 Does your ISP maintain IN-ADDR zones for all its IPs and do you 
 quickly update it based on your customers requests?
i. Yes we do. We update zones in  1 day per customer requests
ii. We maintain it, but don't update it as often as it maybe
needed. We're willing to make an effort and answer tech
support from customers in regards to in-addr records
in  24 hours or quicker (same level of support you provide
for customer domains hosted on ISP dns servers).
iii. We don't maintain INADDR records at all. But are willing
 to do it if it becomes a requirement for email

5. Would you prefer email policy records be entered in the IN-ADDR zone
   for each ip or would you prefer it to be entered as part of the HOST
   record for PTR address of the ip?
a. IN-ADDR zone
b. PTR HOST record
c. Neither - prefer different alternative. Specify: __

Note: When thinking about this answer to #5 please also go back to question
  #4 and think what would be easier for you (as an ISP or end-user) to 
  maintain and provide ability to update if you or your custoemers
  need to be able to update it.

6. The suggestion that has been made to allow DNS policy record for 
   SMTP Mail server as used in EHLO to override policy record for IP as
   a way to get around non-cooperative or slow ISPs that don't let their
   customers control what record is in the INADDR zone. What do you 
   think about this?
 a. No, we should not allow any other mail policy to override
email record for ip
 b. Yes, that is ok if other policy records override ip records.
 c. This is ok for most cases when some other email policy record
can override ip policy records, but in some cases, ISPs do
need to specify records that can not be overridden.

7. For the policy record would you prefer to just say that no email
   is to come from the ip or would 

Re: Questinair about email policy records to indicate proper source of email (RE: FW: The worst abuse e-mail ever, sverige.net)

[Ricardo \Rick\ Gonzalez]

 Now here are the questions, I'd like to receive feedback on:
 ---
 
 1. Are you ISP? What size?

I am ISP.  Well rather, I'm AN ISP.  Okay, so I just operate one, but
you get the gist.

 2. If you're ISP are you willing to quickly deploy these records if such
standard becomes available? If so how quickly can you deploy it -

If you're ISP?  Who's asking the questions, Ali G?
 
 3. Are you willing to configure/upgrade your email server to check of
these policy records and reject SMTP connection based on these records?

No, because I already utilize multiple DNS-based blacklists which do
precisely that (blocking dynamically assigned dialup/cable/DSL address
pools), as part of SpamAssassin and other spam filtering mechanisms.

 4. Many users and even RIRs have expressed doubts about relying on IN-ADDR
and said it has technical problems and/or that IN-ADDR zones are badly
maintained by ISPs and that we should not rely on it. Do you agree?

No need to look at in-addr.  See above.

 6. The suggestion that has been made to allow DNS policy record for
SMTP Mail server as used in EHLO to override policy record for IP as
a way to get around non-cooperative or slow ISPs that don't let their
customers control what record is in the INADDR zone. What do you
think about this?

Don't take it personally, but I think that's a bad idea.

 7. For the policy record would you prefer to just say that no email
is to come from the ip or would you prefer to be able to specify
more complex record:

For the policy record?  Are you an officer of the court?  Columbo? 
What record are you keeping, and for which organization(s)?  Did Ray
P. step down and make you the CEO of ARIN?

 8. Would you like to have an option as part of policy record that
can be used so that other email servers when they see SMTP connection

That doesn't parse.  SMTP connections?  Or a SMTP connection?  

from certain ip would report back to you if ip is used for outgoing
email connections?

Yes.  I'd hope IP is being used for e-mail connections.  It sure beats
the alternatives, such as DECNet, AppleTalk, and IPX.

 9. Would you like to have an option as part of policy record
that lets specify who the administrator is to contact in case

Depends.  Lets who specify?

 12. Do you consider that these email policy records for ips would be
 alternative for ISP port 25 blocking or a complimentary technology
 that can be used together with it?

No.  Again, you're reinventing the wheel unnecessarily.  See existing dnsbl's.

Re: The Trailing Edge (was Re: FW: The worst abuse e-mail ever, sverige.net

[Jon Lewis]

On Wed, 22 Sep 2004 [EMAIL PROTECTED] wrote:

 Has anybody done a comparison for different instances of this same problem
 (for instance, rate of fixing of 69/8 filters, open SMTP relays, installing a

Coworkers keep breaking the SQL db access, and when I notice it broken, I
fix it...but http://69box.atlantic.net/cgi-bin/bogon still lists a several
hundred networks with 69/8 issues.  They're still slowly getting fixed.
I just found several listed IPs that are finally reachable from 69/8.

--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

FW: The worst abuse e-mail ever, sverige.net

[Daniel Golding]

On 9/21/04 1:00 PM, james edwards [EMAIL PROTECTED] wrote:

 
 Sheesh. Get over /yourself/. Your network is rude by its very existence,
 if it lets spammers relay crud by way of it. Your own arrogance in
 thinking it's not your problem to fix is astounding.
 
 I did no say it is not my problem, we have a 10 year history of being
 very pro-active for all abuse issues and have a dedicated staff person to
 deal with these issues. Slaming my mail admin because a dial up user has a
 virus
 is rude, period. Our dial up address space is listed, if people choose to
 block
 mail from that space.
 
 james
 

To shift this to a more operational tone...

Networks make choices. One choice is to declare their dynamic space and put
the duty of ignoring emails from dialups users on the receiving networks.
Another choice is to filter port 25. Filtering port 25 has its own costs -
some users are offended/bothered by this, since they can't use their own
corporate mail servers, in some cases.

If a network makes the choice of putting the duty of filtering on the
receiving party, they need to accept that this will upset some of those
receivers. Today's security environment means that spam-sending viruses are
common. 

The only responsible thing to do is filter port 25, smarthost for your
users, and inform them about using the alternate submission port with
authenticated SMTP in order to work with enterprise mail servers - or IPSec
VPNs, for that matter. This is simply the best practice, at this point in
time. Using humans (dedicated staff person) to stop spam isn't scalable -
automated processes are sending this stuff, we need systematic ways to fight
it - black/white lists, SPF, port 25 filtering, bayesian filtering and other
tools.

-- 
Daniel Golding
Network and Telecommunications Strategies
Burton Group

Re: FW: The worst abuse e-mail ever, sverige.net

[Daniel Senie]

At 01:29 PM 9/21/2004, Daniel Golding wrote:
On 9/21/04 1:00 PM, james edwards [EMAIL PROTECTED] wrote:

 Sheesh. Get over /yourself/. Your network is rude by its very existence,
 if it lets spammers relay crud by way of it. Your own arrogance in
 thinking it's not your problem to fix is astounding.

 I did no say it is not my problem, we have a 10 year history of being
 very pro-active for all abuse issues and have a dedicated staff person to
 deal with these issues. Slaming my mail admin because a dial up user has a
 virus
 is rude, period. Our dial up address space is listed, if people choose to
 block
 mail from that space.

 james

To shift this to a more operational tone...
Networks make choices. One choice is to declare their dynamic space and put
the duty of ignoring emails from dialups users on the receiving networks.
Another choice is to filter port 25. Filtering port 25 has its own costs -
some users are offended/bothered by this, since they can't use their own
corporate mail servers, in some cases.
If a network makes the choice of putting the duty of filtering on the
receiving party, they need to accept that this will upset some of those
receivers. Today's security environment means that spam-sending viruses are
common.
The only responsible thing to do is filter port 25, smarthost for your
users, and inform them about using the alternate submission port with
authenticated SMTP in order to work with enterprise mail servers - or IPSec
VPNs, for that matter. This is simply the best practice, at this point in
time. Using humans (dedicated staff person) to stop spam isn't scalable -
automated processes are sending this stuff, we need systematic ways to fight
it - black/white lists, SPF, port 25 filtering, bayesian filtering and other
tools.
I'd add on to this in one area. Dan's text is good as far as it goes. What 
I'd add is:

Implement Reasonable and Easily Handled INADDR
1) By this I mean provide PTR records for all ports
2) for dialup, DSL and Cable users on dynamic ports who should not 
generally be running servers, name the INADDR with something like:

w-x-y-z.dialup.example.net
w-x-y-z.dynamic.example.net
or similar. I don't care what scheme you want to use to the LEFT of 
'dialup.example.com' or 'dynamic.example.com' but please put the 
information about these being dynamic blocks in a place where they can be 
filtered using simple mechanisms (i.e. without regex overheads).

With the naming above, it's easy to filter out dialup.example.com in the 
access lists of mail servers without any worries. Users coming in from 
those addresses using authenticated connections to the submission port will 
work fine, while spam direct from those machines will not work.

Many ISPs do this quite well. While it's still some work for the receiving 
systems vs. port 25 filtering, it sure beats guessing about remote topologies.

Also note that while some large ISPs have handed out IP address ranges of 
dynamically assigned address in the past, telling others they can block 
from those addresses, this results in stale data almost instantly. Keeping 
this type of thing based on PTR records in DNS means the owner of that 
space has the job of maintaining the designations, as it should be, and 
avoids pushing that task onto recipients.

3) Provide proper PTR records for your business customers. A PTR record of 
.biz.example.net sure looks a lot more questionable than office.example.com 
(where example.com is a small business, let's say).

4) Think about the other guy. If you have issues identifying what to block 
on your inbound flows, perhaps you might think about how your naming and 
other policies affect how others see your outflow. Cooperation makes things 
better for everyone.

--
-
Daniel Senie [EMAIL PROTECTED]
Amaranth Networks Inc.http://www.amaranth.com

Re: FW: The worst abuse e-mail ever, sverige.net

[Steven Champeon]

on Tue, Sep 21, 2004 at 02:11:11PM -0400, Daniel Senie wrote:

snip good info

 2) for dialup, DSL and Cable users on dynamic ports who should not 
 generally be running servers, name the INADDR with something like:
 
 w-x-y-z.dialup.example.net
 w-x-y-z.dynamic.example.net
 
 or similar. I don't care what scheme you want to use to the LEFT of 
 'dialup.example.com' or 'dynamic.example.com' but please put the 
 information about these being dynamic blocks in a place where they can be 
 filtered using simple mechanisms (i.e. without regex overheads).
 
 With the naming above, it's easy to filter out dialup.example.com in the 
 access lists of mail servers without any worries. Users coming in from 
 those addresses using authenticated connections to the submission port will 
 work fine, while spam direct from those machines will not work.
 
 Many ISPs do this quite well. While it's still some work for the receiving 
 systems vs. port 25 filtering, it sure beats guessing about remote 
 topologies.

FYI - I've been tracking rDNS naming conventions for many ISPs for the
past year and a half. (Basically, if your network is secure, I don't
know about you - I only track rDNS for hosts that relay spam or spew
viruses at me). Of the approximately 4800 networks (by domain) I've
tracked, 1935 are known to be in the US, Mexico, or Canada. Of those,
509 have some form of RHS-friendly rDNS. Roughly 26%. Better than last
year, but still pretty bad.

cgocable.ca cabletv.on.ca   aci.on.ca   eastlink.ca
powergate.caprimus.ca   sympatico.caubc.ca 
uoguelph.ca uniserve.ca utoronto.ca videotron.ca   
netidea.bc.ca   ulaval.ca   ualberta.ca dal.ca 
uottawa.ca  uwo.ca  connection.ca   terago.ca  
accesscomm.ca   ucc-net.ca  sfu.ca  yorku.ca   
ncf.ca  rushcomm.ca eol.ca  mcgill.ca  
oricom.ca   vdn.ca  amdsb.caumontreal.ca   
cyberus.ca  knet.ca magma.camcmaster.ca
usherbrooke.ca  cgi.ca  unb.ca  sprintdsl.ca   
aol.com aracnet.com atlantabroadband.com attbi.com
insightbb.com   mchsi.com   bbtel.com   ccapcable.com  
cerfnet.com charter.com dancris.com execulink.com  
mindspring.com  nexband.com rcn.com redshift.com   
ripnet.com  rogers.com  rr.com  theplanet.com  
wideopenwest.comxmission.comcablenet-va.com charter-ala.com
cox-internet.comquik.comgvtc.combah.com
lan2wan.com westelcom.com   power1.com  mdsg-pacwest.com   
eschelon.comgvtel.com   nettally.comoctapus.com
firstlink.com   hbci.comiinet.com   naxs.com   
ntplx.com   tfb.com srtnet.com  theriver.com   
vcn.com visi.comwebhostplus.com winbeam.com
gtlakes.com varian.com  royaume.com primarydns.com 
netdoor.com registeredsite.com  bearingpoint.comcore.com   
tvc-ip.com  teksavvy.comopt2opt.com quiknet.com
srt.com pcspeed.com cadvision.com   mynethost.com  
800hosting.com  scrtc.com   speede.com  warpdriveonline.com
wavecable.com   lightyearcom.commidmaine.comprairieweb.com 
c2bandwidth.com innercite.com   cintelecom.com  hyperusa.com   
seanet.com  cwia.commcttelecom.com  osp-chicago.com
primenet.comfire2wire.com   calltech.comanobi.com  
telus.com   hyatthsiagx.com spiritone.com   aesirnetworks.com  
foxinternet.com willscot.comacetechusa.com  aeanetwork.com 
alabanza.comarishost.comcalpop.com  computechnv.com
datapeer.comfatcow.com  iwaynetworks.comlinuxwebnet.com
mobilenetics.comskybitz.com tir.com unitedcolo.com 
zedcom.com  zoolink.com crestviewcable.com  mipops.com 
neteze.com  wilnet1.com conninc.com asu.edu
berkeley.edubrown.edu   bucknell.educmich.edu  
cmu.edu colorado.educolumbia.educornell.edu
csulb.edu   csuohio.edu dartmouth.edu   duke.edu   
ecu.edu fsu.edu furman.edu  gac.edu
gatech.edu  harvard.edu hawaii.edu  indiana.edu
msu.edu ncsu.edunodak.edu   pepperdine.edu 
psu.edu  

Re: FW: The worst abuse e-mail ever, sverige.net

[Mikael Abrahamsson]

On Tue, 21 Sep 2004, Daniel Senie wrote:

  w-x-y-z.dialup.example.net
  w-x-y-z.dynamic.example.net

The company I work for hand out static IP addresses to all DSL subscribers
(one IP only per subscriber in all cases). Is there a BCP as to what to do
with this regarding registering with RBL etc, so we won't get our entire
netblock blacklisted when a single subscriber gets 
backdoored/trojaned/virusinfected?

-- 
Mikael Abrahamssonemail: [EMAIL PROTECTED]

Re: FW: The worst abuse e-mail ever, sverige.net

[Mikael Abrahamsson]

On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote:

 Unless your connection is permenent, with a permanent static ip, you 
 should not be *directly* sending out mail.  The very nature of dynamic ips 
 implies that even if a single subscriber gets infected, you have no 
 guarantee YOU won't wind up with that ip next.

As I said, this is DSL, which to me implies always on. Each DSLAM port
only allows one IP address, this is set statically. The customer has a
static IP address assigned to him/her, which never changes over time. No
DHCP, nothing dynamic what so ever. If you want to make yourself
unreachable to one of our customers you blacklist their IP which is always
the same. Simple.

Now, how do we make the world understand this? 
 
-- 
Mikael Abrahamssonemail: [EMAIL PROTECTED]

RE: FW: The worst abuse e-mail ever, sverige.net

[Sean Crandall]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of Mikael Abrahamsson
 Sent: Tuesday, September 21, 2004 1:01 PM

 As I said, this is DSL, which to me implies always on. Each DSLAM port
 only allows one IP address, this is set statically. The customer has a
 static IP address assigned to him/her, which never changes 
 over time. No
 DHCP, nothing dynamic what so ever. If you want to make yourself
 unreachable to one of our customers you blacklist their IP 
 which is always
 the same. Simple.

We configure our DSL customers the same way you do.  Static PVC, Static
IP.  Each user has a static IP and in 99% of the cases, we do not assign
any dynamic IPs.  

However, I would say that it is safe to say that the majority of the
ILECs here in the US provide DSL service where the IP is dynamic.  Most
of the time, it doesn't change, but it is very possible that the next
time that the user logs in (most are also using PPPoE for the connection
setup) that the DHCP server might give them another IP.

As such, when we have seen our IP blocks get blocked strictly because of
the rDNS entry having 'dsl' in it, a simple email to the admins
explaining that we are not providing dynamic services has gotten our
rDNS entries taken off of the blacklist.

-Sean

Sean P. Crandall
VP Engineering Operations
MegaPath Networks Inc.
6691 Owens Drive
Pleasanton, CA  94588
(925) 201-2530 (office)
(925) 201-2550 (fax)

Re: FW: The worst abuse e-mail ever, sverige.net

[Douglas Otis]

On Tue, 2004-09-21 at 13:01, Mikael Abrahamsson wrote:
 On Tue, 21 Sep 2004, Dan Mahoney, System Admin wrote:
 
  Unless your connection is permenent, with a permanent static ip, you 
  should not be *directly* sending out mail.  The very nature of dynamic ips 
  implies that even if a single subscriber gets infected, you have no 
  guarantee YOU won't wind up with that ip next.
 
 As I said, this is DSL, which to me implies always on. Each DSLAM port
 only allows one IP address, this is set statically. The customer has a
 static IP address assigned to him/her, which never changes over time. No
 DHCP, nothing dynamic what so ever. If you want to make yourself
 unreachable to one of our customers you blacklist their IP which is always
 the same. Simple.
 
 Now, how do we make the world understand this? 

When this customer discontinues services, would you want to reuse this
address?  If your network was (ab)used sending spam, then the next
customer may find this address unusable and you would need to contact a
few hundred blacklists in an attempt to rehabilitate the address.
As a prophylactic measure, Port 25 is blocked or transparently
intercepted to monitor the network via error logs.  For external mail
submissions, Port 587 would be recommended.

There is an overview of this at:
http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt

-Doug

 

 

port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]

[Mikael Abrahamsson]

On Tue, 21 Sep 2004, Douglas Otis wrote:

 As a prophylactic measure, Port 25 is blocked or transparently
 intercepted to monitor the network via error logs.  For external mail
 submissions, Port 587 would be recommended.
 
 There is an overview of this at:
 http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt

We want to receive abuse email and act on them, doesn't matter if
customers are infected and sending spam or if they're infected and trying
to remote-exploit web-servers or windows computers or what have you. We've
been considering using netflow to detect end-users doing a lot of port 25
activity towards a lot of random destinations, I find this much more
net-friendly than to just block 25 and force them to use our smarthost
(also stops our smarthost from being blacklisted by some overzealous
blacklist-admins).

Starting to block just means you will have to block more and more all the 
time. Port 135-139 and 445 will be practially unusable on the network for 
a long time (some users complain about this).

I was under the impression that most blacklists would have a time-out 
period when there was no more activity from this certain IP, it would be 
removed from the blacklist. Is this not the case?

Also, having hundreds of blacklists as per your email seems like a very 
silly idea? I can understand 3-5, but hundreds?

-- 
Mikael Abrahamssonemail: [EMAIL PROTECTED]

Re: FW: The worst abuse e-mail ever, sverige.net

[Steven Champeon]

on Tue, Sep 21, 2004 at 02:04:18PM -0700, Sean Crandall wrote:
 We configure our DSL customers the same way you do.  Static PVC, Static
 IP.  Each user has a static IP and in 99% of the cases, we do not assign
 any dynamic IPs.  
 
 However, I would say that it is safe to say that the majority of the
 ILECs here in the US provide DSL service where the IP is dynamic.  Most
 of the time, it doesn't change, but it is very possible that the next
 time that the user logs in (most are also using PPPoE for the connection
 setup) that the DHCP server might give them another IP.
 
 As such, when we have seen our IP blocks get blocked strictly because of
 the rDNS entry having 'dsl' in it, a simple email to the admins
 explaining that we are not providing dynamic services has gotten our
 rDNS entries taken off of the blacklist.

Why do you assume that an IP being static, but having generic rDNS
showing it to be a DSL line, automatically makes it worthy of relaying
or sending mail? I certainly don't make that assumption - rather the
opposite, given my experience of the past three years.

In my view of the universe, IPs with generically named rDNS should never
emit mail except by way of a suitably configured MTA, which ought to
have non-generic rDNS, preferably of the sort 'mail.$domain' where
[EMAIL PROTECTED] is a live account manned by an abuse desk, rather than a
generic '1-2-3-4.assignmenttype.technologytype.bigisp.example.net',
where complaints to [EMAIL PROTECTED] may or may not make any difference.

In the past 60 days, we've refused mail from 

ip-69-33-132-156.nyc.megapath.net (claimed to be 'hal.org', and sender
was a yahoo.com account)

and

ip-66-80-96-99.aus.megapath.net (claimed to be 'asu.edu', and sender
was an asu.edu account)

and

ip-66-80-90-195.iad.megapath.net (claimed to be
'ccs1.clinicofcosmeticsurgery.com', sent to an inactive account)

and

ip-66-80-206-37.lax.megapath.net (claimed to be 'mail.totexusa.com',
sent to my account - I don't know anyone at 'totexusa.com'; both
messages were backscatter from a joe job)

Were we wrong to do so? I don't think so. Static or dynamic, makes
little difference. Today's email services require more than the current
status quo. And I haven't seen any reason to adjust my policy.

I'm left with the overall impression from many on this thread that in
the view of many ISPs, DNSBLs have removed the ISP's burden of policing
their own networks. And that's a shame.

Steve

PS: this message certified ad hominem free :/

-- 
join us!   http://hesketh.com/about/careers/web_designer.html   join us! 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.htmljoin us!

Re: port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]

[Valdis . Kletnieks]

On Tue, 21 Sep 2004 23:22:42 +0200, Mikael Abrahamsson said:

 Also, having hundreds of blacklists as per your email seems like a very 
 silly idea? I can understand 3-5, but hundreds?

Just because one organization with clue provides a BGP feed with the current
list of bozon addresses doesn't mean there aren't still several hundred sites
that are still blocking 69/8 as a bogon.

Similarly for blacklists - lots of sites have their own personal list of places they
really don't want to hear from.


pgpT6rOqqmq7M.pgp
Description: PGP signature

Re: FW: The worst abuse e-mail ever, sverige.net

[Joe Provo]

On Tue, Sep 21, 2004 at 01:29:44PM -0400, Daniel Golding wrote:
[snip]
 Another choice is to filter port 25. Filtering port 25 has its own 
 costs - some users are offended/bothered by this, since they can't 
 use their own corporate mail servers, in some cases.
[snip]

SUBMIT, SASL, etc.   This is a solved problem; if MS Lookout! Virus
Express! supports it, your know it isn't rocket science. 

SMTP 25 is for inter-server traffic.  There is absolutely no reason
for end-user pseudo-MTAs to use it.  Some networks will enforce it.
Expect that and move on.


-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

Re: FW: The worst abuse e-mail ever, sverige.net

[Allan Poindexter]

  Daniel The only responsible thing to do is filter port 25,
  Daniel smarthost for your users, and inform them about using the
  Daniel alternate submission port with authenticated SMTP in order
  Daniel to work with enterprise mail servers - or IPSec VPNs, for
  Daniel that matter. This is simply the best practice, at this point
  Daniel in time. Using humans (dedicated staff person) to stop
  Daniel spam isn't scalable - automated processes are sending this
  Daniel stuff, we need systematic ways to fight it - black/white
  Daniel lists, SPF, port 25 filtering, bayesian filtering and other
  Daniel tools.

Let's put this in perspective.  Say a hypothetical sysadmin were to
disable any and all authentication on his SSH server.  And that
someone then used SSH from your network to run code that sysadmin
didn't like on that machine.  Would you then consider it reasonable if
the sysadmin proposed:

   The only responsible thing to do is filter port 22, smarthost for
   your users, and inform them about using the alternate submission
   port with authenticated SSH in order to work with enterprise SSH
   servers - or IPSec VPNs, for that matter. This is simply the best
   practice, at this point in time. 

For that matter would anyone take seriously someone who then proposed
as a solution to the breakin[1] that:

   we need systematic ways to fight it - black/white lists, SSH
   Permitted From, port 22 filtering, bayesian filtering and other
   tools

in order to filter out harmful commands while allowing anything else
to get through without ever once suggesting enabling passwords or SSH
keys?

If you don't want to accept mail from anyone and everyone then make
them use a password or a key to send mail to you.  There are several
ways to do this right now.  (For example, procmail is your friend.)
If you don't like something that arrives in your house figure out a
way to put a lock on your door.  Don't insist everyone else is at
fault because they wouldn't put bars over their own.

-
[1] A curious term since it's hard to imagine a way to leave the door
open much wider than our hapless hypothetical sysadmin has.

Re: port 25 blocking [Re: FW: The worst abuse e-mail ever, sverige.net]

[Douglas Otis]

On Tue, 2004-09-21 at 14:22, Mikael Abrahamsson wrote:
 On Tue, 21 Sep 2004, Douglas Otis wrote:
 
  As a prophylactic measure, Port 25 is blocked or transparently
  intercepted to monitor the network via error logs.  For external mail
  submissions, Port 587 would be recommended.
  
  There is an overview of this at:
  http://www.ietf.org/internet-drafts/draft-hutzler-spamops-01.txt

 We want to receive abuse email and act on them, doesn't matter if
 customers are infected and sending spam or if they're infected and trying
 to remote-exploit web-servers or windows computers or what have you. We've
 been considering using netflow to detect end-users doing a lot of port 25
 activity towards a lot of random destinations, I find this much more
 net-friendly than to just block 25 and force them to use our smarthost
 (also stops our smarthost from being blacklisted by some overzealous
 blacklist-admins).

Cisco offers a Content Services Gateway that will allow audit of SMTP
error messages as example.  Just looking at user SMTP traffic will not
always be a good indication something nefarious is happening.  The
Wack-a-Mole game that results may clobber your good customers perhaps
once too often.  Tracking the reply codes for things like 550,1,3 and
filter for results greater than 50 or so should alert you to something
bad is happening, or that they are having a hard time typing addresses.
: )   

 Starting to block just means you will have to block more and more all the 
 time. Port 135-139 and 445 will be practially unusable on the network for 
 a long time (some users complain about this).
 
 I was under the impression that most blacklists would have a time-out 
 period when there was no more activity from this certain IP, it would be 
 removed from the blacklist. Is this not the case?

Hard to know how the average black-listing service ages their data. 
Some IP addresses cycle over large periods of time.  Some segments were
so bad, a few providers enter them using BGP into a router to conserve
network resources.  That entry may live for decades and be very
difficult to correct.

 Also, having hundreds of blacklists as per your email seems like a very 
 silly idea? I can understand 3-5, but hundreds?

I was not recommending that you post to blacklisting services, but
rather you will end up dealing with these services in an effort to allow
the address to once again reliably send mail should your customer expect
that ability.  

-Doug

Re: FW: The worst abuse e-mail ever, sverige.net

[Brian Wallingford]

:Let's put this in perspective.  Say a hypothetical sysadmin were to
:disable any and all authentication on his SSH server.  And that
:someone then used SSH from your network to run code that sysadmin
:didn't like on that machine.  Would you then consider it reasonable if
:the sysadmin proposed:
:
:   The only responsible thing to do is filter port 22, smarthost for
:   your users, and inform them about using the alternate submission
:   port with authenticated SSH in order to work with enterprise SSH
:   servers - or IPSec VPNs, for that matter. This is simply the best
:   practice, at this point in time.
:

Apples  oranges;  thanks for playing, please try again...