North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Jørgen Hovland
  • Date: Thu Feb 03 14:26:44 2005

----- Original Message ----- From: "Jason Frisvold" <[email protected]>

On Thu, 03 Feb 2005 17:54:28 +0200, Gadi Evron <[email protected]> wrote:
Still, please tell me, how is not blocking un-used or un-necessary ports
a bad thing? It is a defensive measure much like you'd add barricades
before an attack.
Agreed.  And depending on your service, there are different ports
worth blocking.  For residential users, I can't see a reason to not
block something like Netbios.  And blocking port 25 effectively
prevents zombies from spamming.  Unfortunately, it also blocks
legitimate users from being able to use SMTP AUTH on a remote server..

I still can't really agree.
How do you know a port is un-used or un-necessary? Because IANA has assigned port 25 as SMTP? Because only crackers use netbios outside their lan? You can't really inspect your network for a month to determine what ports are being used legit either since this changes over time and the list of ports would be noisy due to virus' etc. And why should you block that particular port when there are no difference between port numbers technically speaking? The only valid reason would be because the other party is also using that port and blocking that particular port will prevent that particular traffic unless somebody changed the portnumber - which will happen if you start blocking specific ports because it might just annoy certain people too much. This is why all the socket enabled software we develop always use port 80 or 443 to be able to get through firewalls. We simply don't want to spend the extra time helping and telling the customer to enable this and that port on their firewall. So in 20 years when every single program is using the same port because you are blocking all the other ports - how can you tell the difference? Packet inspection! But no not always, not when you are using SSL etc. Oh okay, then lets disable that then since you can't identify those packets and because we don't care about the collateral damage it gives anyway?

To a solution I would consider okay:
Since port 25 is mostly known as belonging to SMTP I would rather transparently proxy all outbound 25 connections from customers to our outbound SMTP server instead of blocking the port directly. If the proxy was unable to detect that this was a legit SMTP connection, it will redirect to the original target instead. Now, what will happen is that your companies SMTP server will catch every single bot/worm spamming through SMTP. Here is when the rate-limit and outbound spam/virusfilters should kick in. If you were sending more than 10 infected e-mails or you are actually spamming (yourself or not), disable the customers internet connectivity and redirect port 80 requests to an information page telling the customer "you are infected, click here to download antivirus etc... and click here when you think you have removed the virus/stopped spamming to regain full connectivity". Virus' could automaticly detect this so you shouldn't make it too easy to regain internet access.
This would help your customer finding out if their equipment is infected instead of being unaware of it (since you block port 25 instead). If the customers laptop was infected and he/she frequently moves to other isps (wlan etc) not blocking that port, it could be harder to find out for both parties.

They now evolved, and are using user-credentials and ISP-servers. This
evolution means that their capabilities are severely decreased, at least
Has this been confirmed?  Does this new worm, in fact, use SMTP AUTH
where necessary?  Will it also check the port that the user's computer
is set to send mail on?  So, for instance, if SMTP AUTH is required,
and the mail submission port is being used rather than standard port
25, will the worm detect all this?

The nice part about SMTP AUTH, though, is that there is at least a
direct link to the user sending the spam.  This means, of course, that
ISP's will need to police their users a little better..  :)

It means ISP's will have to re-think their strategies, just like AOL
did. It also means it's once small step to victory for us. We are a long
way from it, and please - not everybody blocks port 25 so current-day
worms are more than efficient still.
So I guess users will have to stop clicking that "Save Password"
button...  That is, until the worm records the keystrokes when the
password is entered...  *sigh*


Jason 'XenoPhage' Frisvold
[email protected]

Joergen Hovland
Joergen Hovland ENK