Ian Mitchell wrote:
Personally, I'm highly opposed to blocking outbound port 25. There are
some of us who don't have the resources to run a domain on a business
class line. Second off, there are those of us who take security very
seriously and work hard to ensure our micro domains don't become zombies.
And third, one could use the argument that we should use hosting services.
But I did use a hosting service when I first got started. And when I
attempted to use Frontpage to modify my website one day, I realized that
none of the 14,000 websites hosted by the provider were password
protected. I can do better than that on my home PC.
I am opposed to blocking ANYTHING as well - but what can be done? The problem is
MS at this point. The FTC really needs to start making them accountable for the
crap they are putting out in the public domain. I'm not sure quite how to make a
legal standing out of this...but I'm definitely not one for going after
gun-makers when bad people use 'em to shoot good people.
On another note, I cancelled SBC because they started blocking protocol 50
packets for my VPN. And I was on a static IP package which isn't supposed to
have ANY filtering. We finally determined they changed something on their PPPoE
servers that fudged my configuration that had been working perfectly for 13
months. Their answer? Buy a new modem. (like it was now my problem when they
figured out the problem was at their end)
My point being: I'm seeing this disturbing trend that can best be described as:
We (the ISPs) can't manage/run/maintain our networks for our everyday customers.
So let's stick it to the folks who need more by offering "business class"
service which will help pay for the people who are smarter than monkeys we have
running the system now.
What "resources" do you need to run a domain on a business class line other than
maybe one "slow" (by today's standards) linux box? Or are you talking about the
screw'em factor the ISP's are engaging in now for "business class" service?
So by cutting our port 25, we are now forced to limit which domains we can
send email too. I have to add special rules to those specific domains that
choose to deny my emails to forward through my ISP's MTA. The point of
running an MTA is so you don't have to do that.
I'm one of those domains. I get hammered by Comcast, Verizon, SBC and others. I
hate the concept of blocking port 25 too! (I was recently in St. Louis using the
hotel's free wireless only that they block p:25 too. So I switched to 587 since
I'm using an MSA anyway... but still, what's the point of advertising "internet
access" when it really only means selected ports.)
I know one person who not only MTA's from behind an ISP with known spam
problems, but he's tried to use a DynDNS provider who can't keep their
secondaries in sync... what am I supposed to do with that??
Only if the email presents itself as being from that domain, if someone's
running a domain on an IP of that ISP, then that domain should have an SPF
record that SHOULD allow the emails to go through. I advertise a hard SPF
record for my domain, I allow email to only come from my IP. Unfortunately
due to the rules that I have to set up for certian ISP's that limit port
25, I have to allow my ISP to act as a relay in the SPF record as well.
Not my most ideal solution. But it's that kind of backwardness you get
when people start breaking things ;)
Ok - again. We're talking about monkeys working for companies that want to
charge an extra fee per month just to have a "custom" PTR record in DNS! Set
once, charge many.
As long as the current model for SMTP exists, spam will exist.
I visited a security seminar just a few weeks ago and they demo'd a
product that would probably be pretty decent to look at for any ISP that's
looking to set up an automatic quarintine mechanism. It's called ForeScout
and the way it works is it monitors for very specific attack signatures
(NMAP scan) and once it detects it, it launches it's own man in the middle
attack. For the asset being protected, it sends RST packets to all out
bound connections associated with the attack. For assets doing the
attacking, it creates a honeynet and records all the traffic for forensic
analysis later on. Definately a pretty decent tool, and it can definately
assist in shutting down zombies.
And just think - all thanks to MS (well, mostly anyway).
-Ben
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
