BCP suggestion, port 25 control RE: [Asrg] BCP suggestion: port-b locking by ISPs

["Hallam-Baker, Phillip" <pbaker at verisign.com>]

> From: asrg-bounces at ietf.org [mailto:asrg-bounces at ietf.org]On Behalf Of
> Bill Cole

> >Should I add port 25 blocking to the list of rules?
> 
> No. It's not a BCP, it's a crutch for lazy ISP's. Spam flow is the 
> most obvious sign of compromise to the outside world, and blocking 
> port 25 means that an ISP doesn't have to pay any attention to the 
> fact that customer machines have been enlisted in a zombie army. 
> That's a very bad thing.

The purpose of the great wall of China was not to stop the barbarians
getting in, the idea was to stop them getting out with their loot.

As I wrote in the C-Net article I believe that there is much that can 
be done to render zombie machines much less useful to hackers by
using a reverse firewall. One of the motives behind this was to try
to provide an alternative to port 25 blocking.


I think that a BCP on ISP network management should make effective 
control of port 25 one recomendation. The ideal form of this control
would be some form of rate limiting scheme so that it was possible 
to send small volumes of mail, but not large. This could be implemented
at the cable/DSL modem end or in the ISP network by means of 
monitoring and shutdown of rogue ports.

Complete blocking of port 25 should be seen as a degenerate, 
sub-optimal form of control which would do nothing to prevent SYN
flooding, DNS flooding or spoofed source address IP packets. 
Blocking at the router does not allow effective control in these
areas. Egress filtering can provide some control but not as much 
as is desirable and cannot provide protection inside the network.



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg