Re: [Asrg] 6. Proposals: MTA MARK vs port 25 filtering?

[Markus Stumpf <maex-lists-spam-ietf-asrg@Space.Net>]

On Wed, Dec 10, 2003 at 05:17:12PM -0500, David Maxwell wrote:
> deny *
> permit MTA1
> permit MTA2
> 
> That isn't a very complicated ACL. I believe Cisco IOS will fastpath
> that in most cases (turning on some specific options will make it slow
> path, of course).

One of our blocks is a /16 polulated mainly with commercial customers.
A lot of them is managing their own MTAs. I'd estimate about 600-700
(intended ;-) MTAs at least in that block.

> MTAs don't change very often. Adding MTA3 to the list above shouldn't be
> overly challenging (but I understand that you don't want a $5/h tech
> making that change).

With that number of MTAs you will have one or two every day. And you
have to update all your border routers and it should happen promptly.

> Compared to the cost of people time to handle spam complaints, it's
> probably easy to justify.

If I have to handle spam complaints for a customer because of a hacked
machine I can make the customer pay for it. We have about 2-3 complaints
a week, most of them about faked Received: lines about 1 or 2 per month
are about a customer. Even charging them 150 USD per hour is much more
cheaper for a single customer than the hassle of buying hardware,
setting it up, having it maintained. You know, it's like with fare
dodgers: they have to pay penalty if they get caught. But it only
happens once in a while so it is cheaper not to buy a ticket.

> I was suggesting that the ISP be the org blocking 25. (I dislike network
> blocks in general, because they diminish the usefulness Internet, but
> spam does so even more.) Accessing the router at the ISP will not be as
> easy either.

As I wrote to Alan already, we can't do that without changing each and
every contract and I doubt much customers would sign the new one.

> > 5) With MTA MARK I as a receiver know what the intention of the
> >    maintainer of the IP space is. With a port 25 block not being there I
> >    don't know if it is on purpose or if it is a mistake.
> 
> Your comparison is not valid. You can't detect mistakes in the MTAMark
> database entries any more than you can detect errors in the ACL.

This sounds plausible ;-)
But with MTA MARK the sender could express a policy that I could query.
With an outgoing port 25 block in a firewall whose rules are not
publically available he/I can't.

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg