nanog mailing list archives
Re: ISP port blocking practice
From: Jon Lewis <jlewis () lewis org>
Date: Sun, 5 Sep 2010 21:18:54 -0400 (EDT)
On Sun, 5 Sep 2010, Claudio Lapidus wrote:
If I block port 25 on my network, no spam will originate from it. (probablly) The spammers will move on to a network that doesn't block their crap. As long as there are such open networks, spam will be rampant. If, overnight, every network filtered port 25, spam would all but disappear. But spam would not completely disappear -- it would just be coming from known mailservers :-) thus enters outbound scanning and the frustrated user complaints from poorly tuned systems...That won't be probably the case. Here recently we conducted a rather comprehensive analysis on dns activity from subscribers, and we've found that in IP ranges that already have outgoing 25 blocked we were still getting complaints about originating spam. It turned out that the bots also know how to send through webmail, so port 25 blocking renders ineffective there.
Anti-spam is a never ending arms race. Originally, the default config for most SMTP servers was to relay for anyone. 10 years ago, sending spam through open SMTP relays was quite common. Eventually, the default changed, nearly all SMTP relays now restrict access by either client IP or password authentication, and the spammers adapted to open proxies. Today, nobody in their right mind sets up an open HTTP proxy, because if they do, it'll be found and abused by spammers in no time. These too have mostly been eliminated, so the spammers had to adapt again, this time to botted end user systems.
Getting rid of the vast majority of open relays and open proxies didn't solve the spam problem, but there'd be more ways to send spam if those methods were still generally available. The idea that doing away with open relays and proxies was ineffective, so we may as well not have done and should go back to deploying open relays and open proxies it is silly.
With all the different webmail systems, it seems unlikely to me (though I definitely wouldn't say impossible) that bots are spamming through your webmail (unless you work for gmail, hotmail, etc. and are an attractive enough target that it made sense to code a bot to automate utilizing your webmail interface). Bots being used as proxies seems far more likely to me for the general case of "bots" spamming through an ISP's webmail.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Re: ISP port blocking practice, (continued)
- Re: ISP port blocking practice John R. Levine (Sep 03)
- Re: ISP port blocking practice Robert E. Seastrom (Sep 08)
- RE: ISP port blocking practice Brian Johnson (Sep 12)
- Re: ISP port blocking practice Patrick W. Gilmore (Sep 03)
- Re: ISP port blocking practice Ricky Beam (Sep 03)
- Message not available
- Re: ISP port blocking practice Patrick W. Gilmore (Sep 03)
- Re: ISP port blocking practice Claudio Lapidus (Sep 05)
- Re: ISP port blocking practice Patrick W. Gilmore (Sep 05)
- Re: ISP port blocking practice Franck Martin (Sep 05)
- Re: ISP port blocking practice Paul Ferguson (Sep 05)
- Re: ISP port blocking practice Jon Lewis (Sep 05)
- Re: ISP port blocking practice Owen DeLong (Sep 05)
- Re: ISP port blocking practice Franck Martin (Sep 05)
- Re: ISP port blocking practice Jon Auer (Sep 06)
- Re: ISP port blocking practice Scott Howard (Sep 11)
- Re: ISP port blocking practice Brett Frankenberger (Sep 06)
- Re: ISP port blocking practice Patrick W. Gilmore (Sep 06)
- Re: ISP port blocking practice deleskie (Sep 06)
- Re: ISP port blocking practice Brett Frankenberger (Sep 06)
- Re: ISP port blocking practice Randy Bush (Sep 06)
- Re: ISP port blocking practice Suresh Ramasubramanian (Sep 06)