North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

  • From: Frank Bulk - iNAME
  • Date: Mon Jun 23 22:36:00 2008

Right, port 587 would require SMTP authentication.

I'm no routing expert, but can tens of thousands of /32s be excluded using
BGP communities?  

I don't know if spammers are going to be using TLS in a big way soon, though
I'll admit I've not measured.  As long TLS usage is low, examining TCP port
25 traffic would likely be effective without redirecting SMTP traffic and
making it effective for all customers downstream.

Frank

-----Original Message-----
From: Joel Jaeggli [mailto:[email protected]] 
Sent: Monday, June 23, 2008 4:06 PM
To: [email protected]
Cc: [email protected]
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

Frank Bulk wrote:
> Thanks.  Even with TLS, the destination port (either 25 or 365) is
> well-known, right, as is the source IP?

And 587 though that's generally your customers, who are going authenticate.

> At the minimum RBLs could be used
> for that encrypted traffic.

Yeah, given that that point you're basically filtering by ip again, you
can do that with a bgp community. That's not really smtp filtering anymore.

> Frank
>
> -----Original Message-----
> From: Joel Jaeggli [mailto:[email protected]]
> Sent: Monday, June 23, 2008 2:20 PM
> To: [email protected]
> Cc: [email protected]
> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
> reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
>
> <snip>
>
> dpi boxes from a number of vendors can do that sort of thing... whether
> they can do it fast enough to be inline with your compute cloud is
> another question entirely.
>
> That said the result is fairly perilous when rejecting a message
> involves forging packets. and of course tls supporting mta's will be
> opaque to the network traffic inspecting device.
>
>