North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Time to check the rate limits on your mail servers
----- Original Message ----- From: "Jason Frisvold" <[email protected]>
I still can't really agree.On Thu, 03 Feb 2005 17:54:28 +0200, Gadi Evron <[email protected]> wrote:Still, please tell me, how is not blocking un-used or un-necessary ports a bad thing? It is a defensive measure much like you'd add barricades before an attack.Agreed. And depending on your service, there are different ports worth blocking. For residential users, I can't see a reason to not block something like Netbios. And blocking port 25 effectively prevents zombies from spamming. Unfortunately, it also blocks legitimate users from being able to use SMTP AUTH on a remote server..
How do you know a port is un-used or un-necessary? Because IANA has assigned port 25 as SMTP? Because only crackers use netbios outside their lan? You can't really inspect your network for a month to determine what ports are being used legit either since this changes over time and the list of ports would be noisy due to virus' etc. And why should you block that particular port when there are no difference between port numbers technically speaking? The only valid reason would be because the other party is also using that port and blocking that particular port will prevent that particular traffic unless somebody changed the portnumber - which will happen if you start blocking specific ports because it might just annoy certain people too much. This is why all the socket enabled software we develop always use port 80 or 443 to be able to get through firewalls. We simply don't want to spend the extra time helping and telling the customer to enable this and that port on their firewall. So in 20 years when every single program is using the same port because you are blocking all the other ports - how can you tell the difference? Packet inspection! But no not always, not when you are using SSL etc. Oh okay, then lets disable that then since you can't identify those packets and because we don't care about the collateral damage it gives anyway?
To a solution I would consider okay:
Since port 25 is mostly known as belonging to SMTP I would rather transparently proxy all outbound 25 connections from customers to our outbound SMTP server instead of blocking the port directly. If the proxy was unable to detect that this was a legit SMTP connection, it will redirect to the original target instead. Now, what will happen is that your companies SMTP server will catch every single bot/worm spamming through SMTP. Here is when the rate-limit and outbound spam/virusfilters should kick in. If you were sending more than 10 infected e-mails or you are actually spamming (yourself or not), disable the customers internet connectivity and redirect port 80 requests to an information page telling the customer "you are infected, click here to download antivirus etc... and click here when you think you have removed the virus/stopped spamming to regain full connectivity". Virus' could automaticly detect this so you shouldn't make it too easy to regain internet access.
This would help your customer finding out if their equipment is infected instead of being unaware of it (since you block port 25 instead). If the customers laptop was infected and he/she frequently moves to other isps (wlan etc) not blocking that port, it could be harder to find out for both parties.
Joergen HovlandThey now evolved, and are using user-credentials and ISP-servers. This evolution means that their capabilities are severely decreased, at least potentially.Has this been confirmed? Does this new worm, in fact, use SMTP AUTH where necessary? Will it also check the port that the user's computer is set to send mail on? So, for instance, if SMTP AUTH is required, and the mail submission port is being used rather than standard port 25, will the worm detect all this? The nice part about SMTP AUTH, though, is that there is at least a direct link to the user sending the spam. This means, of course, that ISP's will need to police their users a little better.. :)It means ISP's will have to re-think their strategies, just like AOL did. It also means it's once small step to victory for us. We are a long way from it, and please - not everybody blocks port 25 so current-day worms are more than efficient still.So I guess users will have to stop clicking that "Save Password" button... That is, until the worm records the keystrokes when the password is entered... *sigh*Gadi.-- Jason 'XenoPhage' Frisvold [email protected]
Joergen Hovland ENK