North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: karl and paul, expostulating

  • From: Karl Denninger
  • Date: Wed Feb 19 23:29:07 1997

> > Filtering by connection to the SMTP port, based on source address, very
> > definitely DOES work.
> Filtering packets based on source address makes Ciscos go way slow on 
> every packet.  Filtering based on destination address makes Ciscos go
> very fast on most packets and a little slower on SYN-ACKs.

Filtering at the SMTP SERVER LEVEL has no impact on CISCOs at all!

Its also trivial.  The current 8.8.x Sendmail code has provisions for it
already in the code.  The hooks take about 20 seconds to install, and one
line to edit in a file to update.  The impact on SMTP connection isn't even
measurable for those who don't trip it, and for those who do, you can even
return a rude message -- or a 421 error, which keeps the spam at the source
(loading the spammers mailserver -- a GOOD thing!)

> > And again, unnecessary and overbroad.  Filtering at the SMTP receiver port
> > is perfectly fine, it works, and it doesn't prevent other traffic.
> And, again, wrong.  I want spammers to spend 75 seconds of TCP PCB time on me.
> By blackholing SYN-ACKs and not sending them ICMPs, they lose capacity that
>they could otherwise spend spamming other people. I call this "fighting dirty."

Again, wrong Paul.  Sending back 421s to the spammers force them to waste
not only the connection time, but the scan time on their disks.  If lots of
people do it they back up thousands of email messages, and THAT breaks their
mail servers.  This is a very good thing.  Its even uglier than the 75
seconds, in that its cumulative and probably keeps that nice message on
their disks (where it eats resolver resources, storage, and useless attempts
at delivery) for up to five days.

Much more elegant, in my opinion.

> I operate a cooperative resource.  I will not have it used against me.
> This is not negotiable.  I pay for my part of the Internet and anyone
> who wants their traffic to traverse it has to make sure that I derive
> similar value, in the aggregate, to theirs when they send me traffic.

No argument -- as long as a public root server isn't there.  If it wasn't
I'd be SUPPORTING your black-hole list.  But it is, and as such I'm not.

> Actually it's not personal, it's economic.  eDNS is piracy.  Very different.


> Yes, but now that I've got the eBGP feed working I'm starting to do real time
> spam reporting/detection that will cause third party unintended relays to be
> disabled while a spammer is still trying to use them.  Not everyone wants to
> spend that 30 seconds, and if we don't make spamming even less profitable
> than it is now, you'll be spending that 30 seconds 15 times per hour, 24x7.

Nonsense.  Why not distribute the "block the SMTP port" list instead?

> > That's a point-source response to the problem Paul.  Try it on sometime.
> I prefer as far as that goes.  But the
> problem isn't limited to a point, there are a LOT of people who want the
> same protection I work so hard to give myself, and I am donating that
> protection to anyone who wants it.

The point is, you can do that, hurt the spammers even more, and still find
ways to distribute the file (it IS only a flat file Paul) on an automated
basis, rapidly, if you want.

AND, you don't cut off a non-related resource (a root nameserver) in the

Karl Denninger ([email protected])| MCSNet - The Finest Internet Connectivity     | T1's from $600 monthly to FULL DS-3 Service
			     | 99 Analog numbers, 77 ISDN, Web servers $75/mo
Voice: [+1 312 803-MCS1 x219]| Email to "[email protected]" WWW:
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
- - - - - - - - - - - - - - - - -