[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] BCP suggestion: port-blocking by ISPs

To: ASRG list <asrg at ietf.org>
Subject: Re: [Asrg] BCP suggestion: port-blocking by ISPs
From: "Walter Dnes" <waltdnes at waltdnes.org>
Date: Sun, 8 Aug 2004 14:13:34 -0400
In-reply-to: <p0611040cbd3a981d7375@[192.168.254.12]>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <20040731143257.GB2211@m450> <p0611040cbd3a981d7375@[192.168.254.12]>
Sender: asrg-bounces at ietf.org
User-agent: Mutt/1.3.28i

On Sat, Aug 07, 2004 at 12:11:20PM -0400, Bill Cole wrote

> Okay, again I think you are viewing the relation to the non-customer 
> world at large. I think that's the wrong point of attack.
> 
> >  1) egress filtering of forged source-IP addresse packets
> 
> This should be ingress filtering on customer interfaces instead. 
> Watch for RFC1918 traffic hitting your router from the outside and 
> consider what it might be from.

  Forged source addresses are not always going to be in the RFC1918
spectrum.  And I do believe that ISPs have a duty to minimize/stop abuse
in general (not just spam) emanating from their systems.

> However, people DO run Exchange open to the net and ask users (i.e. 
> employees) to connect to it from home using their personal commodity 
> access and Outlook. Some smaller set of adventurous companies even 
> leave file shares open to the net.

  ARRRRGH!!!  I can understand ssh-tunneling, ssl-tunneling, IPSEC, VPN,
etc.  But wide-open shares is stupid.  Ditto for direct-connect via
Outlook.  Do you realize how many open ports Exchange uses?

> Asking ISP's to block ports is asking them to offend some set of
> customers and perhaps drive them away to ISP's that don't do such
> blocking. That is a hopeless expectation, as none of the larger
> commodity-access ISP's has shown a willingness to risk losing any
> customers for any reason.

  Comcast has gotten their act together in the past couple of months...
after being blocked by a significant chunk of the planet.  In June and
early July, 24.0.0.0/8 used to have more email delivery attempts blocked
by my rules than the next 5 most active /8's combined.  For the first
week of August, it has been the 4th most active /8 in my block logs.
It's not all Comcast in there, but every reduction in spamflow helps.

  I've turned off syslogging (from my ADSL modem/router to my linux
machine) because it was accomplishing nothing except filling up my
logfile with a constant hammering on port 445.  If "internet background
radiation" moves up to the level of a DOS, expect egregious sources to
be null-routed as a defensive measure.  Then we might start seeing some
outbound blocking similar to port-25-blocking.  It's sad that things
have to deteriorate that far before action gets taken.

-- 
Walter Dnes <waltdnes at waltdnes.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] BCP suggestion: port-blocking by ISPs
  - From: Bill Cole
- Re: [Asrg] BCP suggestion: port-blocking by ISPs
  - From: Brian Bruns

References:
- [Asrg] BCP suggestion: port-blocking by ISPs
  - From: Walter Dnes
- Re: [Asrg] BCP suggestion: port-blocking by ISPs
  - From: Bill Cole

Prev by Date: Re: [Asrg] MASS BOF at IETF 60
Next by Date: Re: [Asrg] MASS BOF at IETF 60
Previous by thread: Re: [Asrg] BCP suggestion: port-blocking by ISPs
Next by thread: Re: [Asrg] BCP suggestion: port-blocking by ISPs
Index(es):
- Date
- Thread