North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ISPs are asked to block yet another port
On Mon, 23 Jun 2003, Paul Vixie wrote: > > [email protected] ("Christopher L. Morrow") writes: > > > ISP's could block all ports and save everyone the hassle of having an > > Internet.... (I am just kidding of course) > > > > Two interesting points though: > > > > 1) Spammers adapt > > 2) default insecure OS installs cause problems > > 3) thoughtless reactionism at isp's does little good and sometimes some harm. indeed it does... breaking the network with acls often gets me in trouble :) Really, there are always better solutions than mass filtering something like this. > > take for example port-25 blocking. i've been getting relayprobed all > weekend by someone who gets around outbound at&t's tcp/25 SYN blocking > by sending their SYN's through a provider who shall remain nameless > (except that chris morrow happens to work there :-)) using at&t IP > source addresses. i guess they multihomed their host and bind()'d the > outbound socket to one interface even while making sure the routing > used a different interface. high rocket science? NOT. This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/<other-unnamed-provider> with logs and such? :) > > so if you're going to block tcp/25 SYNs on outbound, please make sure > you block SYN/ACK's on input too, or else you just give the spammers a > little more work to do instead of a lot more work to do. Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn!
|