North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Gadi Evron
  • Date: Thu Feb 03 10:56:19 2005

I am a bit concerned that blocking any port at all preventing abuse of the affected service will make the abusers go through other services instead. Port 139/445 is already blocked by several isps due to excessive abuse or I believe they call it 'a security measurement'. Even port 23 has been blocked (inbound and outbound) by atleast 1 large isp I am aware of. When that mssql worm was lurking around isps were also blocking that port. I hope I'm not the only one seeing a pattern here. Really, blocking ports makes no sense to me in the long run. You are destroying the service, and even if you block all ports there are several ways to spam anyway. You would probably reply now saying that "yeah but you get rid of 99% of the spammers that way". That is only partly true. As time goes on all spammers will adopt to your isps new "security policy" and if you still don't see the pattern I am talking about now there is nothing more I can say. I don't have the solution to all of this, but I sure know how to see what is not the solution. Teach people how to write "Hello world" better perhaps.
I quite agree, blocking ports is not the best answer, as it is a self-inflicted-DDoS.

Still, please tell me, how is not blocking un-used or un-necessary ports a bad thing? It is a defensive measure much like you'd add barricades before an attack.

The Internet is a war zone, but I don't have to tell the NANOG community that.

Thing is, blocking port 25 won't cause spam to stop, there are no FUSSP solution. Yet, we all recognize that SMTP is far from perfect.

And indeed, as others here are more qualified than me, by far, to tell you, most development in anti-spam technology only helped short-term, and caused the bad guys to evolve. Well, why is blocking port 25 different? See for yourself.

They now evolved, and are using user-credentials and ISP-servers. This evolution means that their capabilities are severely decreased, at least potentially.

This is the best next thing after dark Irish stout and ketchup.

It means ISP's will have to re-think their strategies, just like AOL did. It also means it's once small step to victory for us. We are a long way from it, and please - not everybody blocks port 25 so current-day worms are more than efficient still.

It is nice to see fore thinking and long-term planning with the bad guys, where all we can do is disagree.