|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: karl and paul, expostulating
> > > > > > Filtering by connection to the SMTP port, based on source address, very > > > definitely DOES work. > > > > Filtering packets based on source address makes Ciscos go way slow on > > every packet. Filtering based on destination address makes Ciscos go > > very fast on most packets and a little slower on SYN-ACKs. > > Filtering at the SMTP SERVER LEVEL has no impact on CISCOs at all! > > Its also trivial. The current 8.8.x Sendmail code has provisions for it > already in the code. The hooks take about 20 seconds to install, and one > line to edit in a file to update. The impact on SMTP connection isn't even > measurable for those who don't trip it, and for those who do, you can even > return a rude message -- or a 421 error, which keeps the spam at the source > (loading the spammers mailserver -- a GOOD thing!) Karl, The biggest problem with this is when you have 40 machines doing ESMTP service within a domain, spread around, coordinating changes to the config files on all the servers is a pain the proverbial buttocks. Having the routers pick up the list of no-no sites automatically means that much more engineering time available for working on more important issues, like maintaining good network connectivity. > > I operate a cooperative resource. I will not have it used against me. > > This is not negotiable. I pay for my part of the Internet and anyone > > who wants their traffic to traverse it has to make sure that I derive > > similar value, in the aggregate, to theirs when they send me traffic. > > No argument -- as long as a public root server isn't there. If it wasn't > I'd be SUPPORTING your black-hole list. But it is, and as such I'm not. I do see a problem with having a root nameserver on a line that's paid for by Paul; if he becomes less financially solvent, and can no longer afford to pay for his line, that nameserver becomes unreachable. The easy answer is to have the InterNIC fund Paul Vixie's net connection, to make sure that nameserver will always be reachable, and pitch in for a 4700 with a 6-pack ethernet module, and a 4-pack serial module; that way he can separate out private services on separate segments from the public services. > > > Yes, but now that I've got the eBGP feed working I'm starting to do real time > > spam reporting/detection that will cause third party unintended relays to be > > disabled while a spammer is still trying to use them. Not everyone wants to > > spend that 30 seconds, and if we don't make spamming even less profitable > > than it is now, you'll be spending that 30 seconds 15 times per hour, 24x7. > > Nonsense. Why not distribute the "block the SMTP port" list instead? BECAUSE IT MEANS HUMANS HAVE TO PUT THE BLOODY THING ON 40 DIFFERENT MACHINES EVERY TIME IT CHANGES! Sorry about shouting, but I'd much prefer a single config change over carrying out repeated tasks on multiple machines that for various reasons can't share filesystems across the net. > -- > -- > Karl Denninger ([email protected])| MCSNet - The Finest Internet Connectivity > http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo > Voice: [+1 312 803-MCS1 x219]| Email to "[email protected]" WWW: http://www.mcs.net/ > Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal Matt Petach - - - - - - - - - - - - - - - - -
|