[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Asrg] BCP suggestion: port-blocking by ISPs

To: ASRG list <asrg at ietf.org>
Subject: [Asrg] BCP suggestion: port-blocking by ISPs
From: "Walter Dnes" <waltdnes at waltdnes.org>
Date: Sat, 31 Jul 2004 10:32:57 -0400
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-bounces at ietf.org
User-agent: Mutt/1.3.28i

  Several major consumer-oriented ISPs block port-25 traffic (coming and
going) direct to external MTAs.  This is a palliative measure dealing
with compromised machines.  We can do better.  We can implement
preventative measures reduce the incidence of compromised machines.

  Having just gotten back on broadband, I set my modem-router's packet
filters to block and log all incoming packets to ports < 1024.  Port 445
seems to be getting around 10 hits per minute, depending on time of day.
I've now turned off logging to keep my logfiles from expanding
ridiculously.

Inbound traffic
===============
  Given that many retail ISPs explicitly forbid running externally
visible servers on residential accounts, I suggest that they block all
ports below 1024 inbound TCP and UDP.  This will...

  1) reduce "pop-up spam"

  2) reduce exploits via unguarded open Windows shares (ports 137, 138,
     139, and 445) and Windows rpc (port 135) plus whatever else Bill
     has left the Gates open for.  This will make it harder to cultivate
     spam zombies.

  3) block spammers' ability to use a modified TCP/IP stack to send out
     heavy-duty spam traffic on a T1 or highspeed-residential account
     with source IP address forged to that of a cheap dial-up account
     that they have logged on to receive the SMTP return traffic on.

  It should be promoted as a "partial firewall".

Outbound traffic
================
  In addition to protecting their own customers, ISPs should take some
minimal measures to protect other ISPs' customers.

  1) egress filtering of forged source-IP addresse packets

  2) block outbound traffic to ports 135, 137, 138, 139, and 445.  There
     is no justification/reason/rationalization/lameass-excuse for a
     residential account to be sending out traffic on these ports.

-- 
Walter Dnes <waltdnes at waltdnes.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] BCP suggestion: port-blocking by ISPs
  - From: Bill Cole

Prev by Date: Re: [Asrg] MTA registration means Path registration
Next by Date: Re: [Asrg] Re: Why SPF?
Previous by thread: Re: [Asrg] Re: Why SPF? (was: Anti-spam laws do work, FYI. There's proof.)
Next by thread: Re: [Asrg] BCP suggestion: port-blocking by ISPs
Index(es):
- Date
- Thread