[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] BCP suggestion: port-blocking by ISPs

At 5:57 PM +0100 8/3/04, Tim Bedding wrote: 
Walter

 Several major consumer-oriented ISPs block port-25 traffic (coming and
 going) direct to external MTAs.  This is a palliative measure dealing
 with compromised machines.  We can do better.  We can implement
 preventative measures reduce the incidence of compromised machines.


I am considering the idea of a regulatory body in the UK using
fines to ensure compliance with certain rules to tackle spam.

One rule would be that ISPs must ensure rapid isolation of zombie
machines.


Immediate and permanent disconnection would be a better recommendation.

Should I add port 25 blocking to the list of rules?

No. It's not a BCP, it's a crutch for lazy ISP's. Spam flow is the most obvious sign of compromise to the outside world, and blocking port 25 means that an ISP doesn't have to pay any attention to the fact that customer machines have been enlisted in a zombie army. That's a very bad thing.

However, it might be a good idea to recommend to ISP's that they differentiate their offerings more clearly and offer customers who want such access accounts that trade liberty for security. AOL has proven that there's a market for this and that they can describe such access more appealingly than I can.

Can you think of other things that definitely should be required?

Practice must be consistent with published policy. If an ISP has an AUP that says "we disconnect abusive machines" or "we hold customers responsible for their security failings" they need to put real teeth behind them.

In an ideal world, ISP's would either stop acting like regulated utilities or submit to being truly regulated utilities. Customers with a history of breaking the rules (i.e. allowing their machines to be compromised) should not be scolded and let back in as customers, they should have to go looking for some other ISP.

I don't suppose it would not go over well to simply say that the ISP business needs desperately to develop some semblance of integrity after a decade of domination by companies that have all the legitimacy of an Albanian pyramid scheme.

On a practical level not related to spam directly, it is long past time for consumer-oriented ISP's in particular to implement basic ingress filtering from customer systems. There's no excuse for accepting packets claiming to be from foreign IP addresses from a single-homed customer other than laziness, ignorance, and cowardice.

Also, the UK government should lean on the US government to
follow suit (if possible).

Pointless. The US government, particularly the current one, does not respond well to 'leaning' by anyone, even people it claims to be allied with. The US government also does not have the capacity for action that exists in UK-style parliamentary systems, because of the strong separation of powers. The best demonstration of this is that George Bush's FCC has had its biggest regulatory change halted by Congress and the courts even though Bush's party theoretically controls Congress and has appointed the majority of the Federal bench including a majority of the Supreme Court. Beyond that, regulating ISP's would go against the political theory of the current regime and against their practical political interests. It might be less infeasible for a Democrat, but only marginally and I doubt that external pressure would be of much more use.

The pressure point in the US is the market. Back during the highest time of the bubble, a few ISP's including Teleglobe and AboveNet demonstrated a willingness to withhold cooperation on a network level with mismanaged networks specifically over spam issues. The will for such battles vanished with the unsupportable share prices, but maybe enough stability has returned for network operators to seriously police their own.

--
Bill Cole
bill at scconsult.com


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg