[51374] in North American Network Operators' Group
RE: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Mon Aug 26 15:43:53 2002
From: "Jeroen Massar" <jeroen@unfix.org>
To: <Valdis.Kletnieks@vt.edu>
Cc: <nanog@merit.edu>
Date: Mon, 26 Aug 2002 21:43:07 +0200
In-Reply-To: <200208261927.g7QJR57P007818@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] wrote:
> On Mon, 26 Aug 2002 21:12:40 +0200, Jeroen Massar
> <jeroen@unfix.org> said:
> > IMHO, Paul's idea is quite a good one, but all servers will need to
be
> > upgraded, and all dns entries installed.
>
> Given the number of providers who seem to think ingress and/or rfc1918
> filtering shouldn't be done, what makes you think that "all servers"
> will be upgraded to support THIS proposal?
Read my sentence again, because I really won't see everybody install/use
it.
One can also simply see so by the problems related to the fact of
installing security updates.
Some 'companies' and individuals are simply too sleezy/lousy or whatever
to do it.
And thus open spam relays will be kept alive which is why there are
RBL's.
This will only help a bit, and tools like SpamAssasin/Razor will keep a
load of stuff of your servers.
But unfortunatly one will never be able to block it all.
> (If you don't want to re-start the RFC1918 war, feel free to
> substitute ANY OTHER thing that most people think is a Good Thing, but
we've
> seen some sizable minority not deploy for reasons they consider
> perfectly valid).
8<-----------
RESERVED="0.0.0.0/7 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 23.0.0.0/8 27.0.0.0/8
\
31.0.0.0/8 72.0.0.0/5 96.0.0.0/3 \
128.66.0.0/16 191.255.0.0/16 \
197.0.0.0/8 201.0.0.0/8 224.0.0.0/3 240.0.0.0/8"
MISC="127.0.0.0/8 128.0.0.0/16 169.254.0.0/16"
RFC1918="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
# Setup block against reserved, rfc1918 and other nets
for i in ${RESERVED} ${MISC} ${RFC1918}; do
RULE -A INPUT -i ${IF} -s ${i} -j LDROP
RULE -A OUTPUT -o ${IF} -d ${i} -j LDROP
done
---------->8
In the filtering language you want, and yes one sees a load of crap in
your logs...
There is a way of making people apply rules though:
depeer/disconnect/...
Unfortunatly one can't easily do that to a party far far away, thus one
blocks at their end (spamassasin/razor and IP based rules)..
Making it harder to get into your house is better than putting the doors
wide open...
Every bit helps...
Greets,
Jeroen
