ingress SMTP

• From: *Hobbit*
• Date: Wed Sep 03 11:40:04 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

I've been blackholing NANOG mail for a while due to other things
displacing the time I'd need to read it, so I might be a little out
of touch on this, but I did grovel through some of the archives
looking for any discussion on this before posting.  Didn't find a
really coherent answer yet.

What I'm trying to get a feel for is this: what proportion of edge
customers have a genuine NEED to send direct SMTP traffic to TCP 25
at arbitrary destinations?  I'm thinking mostly of cable-modem and
DSL/fiber swamps, dialup pools [do they even exist anymore?], and
other clouds basically containing end-users rather than the more
"bidirectional" business-class customers.

The big providers -- comcast, verizon, RR, charter, bellsouth, etc --
seem to be some of the most significant sources of spam and malware
attempts, mostly from compromised end-user machines, and it seems
that simply denying *INGRESS* of TCP 25 traffic except to the given
ISP's outbound relay servers would cut an awful lot of it off at the
pass.  Decent anti-header-spoofing configuration on said mailservers
would take care of even more.  I realize this might be a total
hot-button but I'm not talking about filtering TOWARD customers, I'm
talking about filtering FROM them, upstream -- possibly less often
discussed.  And only SMTP.  Not censorship, just a simple technical
policy that the vast majority of customers wouldn't even notice.

I've got a paper out about this that was put together quite a
while ago, in fact:

  http://www.usenix.org/publications/login/2005-10/openpdfs/hobbit.pdf

I can weigh the decision to trust a PTR lookup, but most of the big
players seem to have their inverse DNS automated fairly well which
helps such little hacks work.  But really, I'd like to see more done
at the SOURCE of the problem, which should be as simple as two ACL
lines dropped into some edge routers.

What is preventing this from being an operational no-brainer,
including making a few exceptions for customers that prove they know
how to lock down their own mail infrastructure?

And why do the largest players seem to have the least clue about it?

_H*

• Follow-Ups:
  • Re: ingress SMTP Charles Wyble
  • Re: ingress SMTP Justin Scott
  • RE: ingress SMTP Tim Sanderson
  • Re: ingress SMTP Suresh Ramasubramanian

• Prev by Date: Re: Is the export policy selective under valley-free?
• Next by Date: Re: ingress SMTP
• Date Index
• Thread Index
• Author Index
• Historical