North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anti-spam System Idea

  • From: Jon R. Kibler
  • Date: Sun Feb 15 15:09:41 2004

[email protected] wrote:
> On Sat, 14 Feb 2004, Tim Thorpe wrote:
> > If these exist then why are we still having problems?
> Because the spammers are creating proxies faster than any of the anti-spam
> people can find them.  Evidence suggests, at least on the order of 10,000
> new spam proxies are created and used every day by spackers
> (spammer/hackers).
> The relative insecurity of windows and ignorance of the average internet
> user has created an incredibly target rich environment for the spackers.
> > Why do we let customers who have been infected flood the networks with
> > traffic as they do? Should they not also be responsible for the security
> > of their computers? Do we not do enough to educate?
> Economics, and convenience outweighing security.  We're big, and slow to
> change.  They're small and mobile.

The Internet's spam load could be easily cut by 50% or more. All it would
take is the cooperation of most major ISPs and academic institutions. 

As this discussion thread has indicated, most spam originates from systems
infected with spamiruses or open proxy servers. How to shut down all such
malware? Simple: Apply egress filtering ACLs to all border routers to prohibit
outgoing port 25 connections from DHCP addresses.

We find that at least 85% of all spam originates from DHCP addresses. Thus, if
a significant number of ISPs would perform port 25 egress filtering, I believe 
that it would significantly reduce spam, and force criminal spammers to develop 
completely new spamming technologies.

If ISPs were to go further, and require their customers with static IPs to
perform port 25 egress filtering, blocking such connections from all systems
except for the customer's legitimate MTA, we could virtually eliminate spam
originating from hijacked systems.

OK, I can hear the objections now... ACLs slow down our routers and thus reduce
through-put. Well, that may be true in the purest sense of the argument, but can
you demonstrate that a few ACLs will have a SIGNIFICANT impact on through-put?
I would be willing to bet that any through-put reduction caused by ACLs, in the
long run, would be more than compensated for by the corresponding reduction in
spam traffic passing through the router. Also, if filtering was to occur at the
point closest to the source, rather than at an aggregation point, the impact of 
any ACLs would be distributed across the network in such a manner as to probably 
have no observable impact on network through-put.

(If anyone has any hard statistics on ACL impact on network through-put, I would
sure like to see those studies!)

Just my $0.02 worth...

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.