[37802] in North American Network Operators' Group
Re: Stealth Blocking
daemon@ATHENA.MIT.EDU (Dave Rand)
Thu May 24 13:33:23 2001
Message-Id: <m152yj0-0000ZNC@daver.bungi.com>
From: dlr@bungi.com (Dave Rand)
Date: Thu, 24 May 2001 10:16:36 PDT
In-Reply-To: "Eric A. Hall"'s message on May 24, 9:46.
To: "Eric A. Hall" <ehall@ehsco.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
[In the message entitled "Re: Stealth Blocking" on May 24, 9:46, "Eric A. Hall" writes:]
>
> Returning to operational traffic:
>
> > One thing that I think *will* help, particularly in the short term, is
> > port 25 blocking of dialup ports. It's my personal opinion that this
> > will have the greatest impact on spammers who abuse open relays. I've
> > watched this happen over the last few months, as various large networks
> > have secured their dialup ports. It's impressive.
>
> TCP rate-limiting on outbound traffic to *:25 would also be extremely
> effective, particularly on unclassified customer traffic, and without the
> heavy-handed nature of denying all dial-up traffic. Rate-limiting doesn't
> interfere with low-volume legitimate mail, but it really cramps spam.
>
I'm not sure how effective rate limiting will be. Many spammers send one
copy of the spam to an open relay, but use many (2 to 50) recipients.
I'm unaware of a product that could limit (say) based on the number of
connections from a given dialup port. Also, based on several providers
information, one dialup account is being used by several, or many,
spammer's machines at the same time, so even a per-IP port limit
wouldn't have as much effect as you might think.
One other way to do this might be to do port 25 blocking on new customers,
but allow customers to get unblocked on request after they have been around
a while... Isn't that the approach that AT&T used, to great success?
It's also interesting to note that at least one dialup reseller actively
markets to spammers, and attempts to negotiate unblocked dialups with the
various providers.
--
