Philipp Morger wrote: > > On Thu, Dec 02, 2004 at 19:31:08 +0100, Andre Oppermann wrote: > > Have a look at what I wrote on NANOG. It applies perfectly well to > > Switzerland too. > > > > If all ISP's in Switzerland (or at least the large ones) would put MTAMARK > > (default) records into their reverse zones we would have solved the entire > > SMTP zombie problem. > > > > What do you think? > > > > You would put in a global wildcard that says no smtp sender here. Only > > for those boxes being legitimate SMTP to outside senders you'd put in a > > more specific record as shown above. You probably have to enter some dozen > > to one hundred servers this way. Sure your reverse zone scripts need some > > changes but it's only two or three lines. > > Well, the only difference between this solution and a port-filter is > that the remote site can decide if it wants to accept the client - which > is a good thing!
Yes, and it allows people to send mail through other mailservers with SMTP-AUTH etc. SMTP doesn't have to be blocked by the ISP nor transparently redirected through their own SMTP servers. > I'm about to list all the types of IP's I would mark as valid senders > - static ip customers (leased lines and adsl with static IPs) > - Our mailservers (primary and backup) I would mark static IP customers only they are running their own SMTP servers. Also for them the default policy is no SMTP. Updating that if a customer indeed wants SMTP is a matter of seconds. > That eliminates all the printers, routers, and other gadgets with an ip > stack that don't send mail - it boils our /19 down to say 100 hosts. So > far so good! This is an 80:1 ratio, or 1.2% instead of 100%. > But I don't see how this will stop smtp-zombies, thoses thousends of > other IPs in our network never had and never will send you any mail and > IP Spoofing is rather out of the question in this case. It doesn't stop the zombies as such. You can do that only by cleaning the PC's. But it makes them highly ineffective for spamming the world. When you look at how spammer cooperate with backdoor and virus makers you come to realize that this is the only way of getting the SPAM out. The RBL have been pretty effective for static IP's and once you have spammed for a couple of hours through one host it's burned and you can't use it again for a long time. Thus spammers have realized that cost and effort is too high and have moved to less costly and easier things, malware. > If one of our leased line customers gets the newest worm he'll still > bang your MTA with it, if you are lucky he uses our primary MX where the > messages gets silently discarded.... but most of our customers don't use > our MTA if they have a static IP. You should only mark one or two of the customers static IP's for SMTP. That way all their other static IP's can only send through their SMTP server. Sure the SMTP TCP connections make it to my mailserver but that is OK with me. I can reject them with very little effort. Certainly less effort than it takes me today for the random stuff that is coming in all the time. There is another positive side-effect of MTAMARK. If a legitimate MTA is highjacked or relaying high amounts of junk (malware, spam, etc.) it can easily and effectively be blacklisted by the RBL's. > IMHO MTAMARK hasn't helped you a bit in this scenario - IIRC spamhaus > has an RBL for worm/virii senders, which seems to me a rather better > solution. As I said this goes hand in hand. You'll never be able to stop virii from being sent through email. MTAMARK helps you cut down the number of possible sources and makes blocking them easy through other means, like RBLs. > The real problem I see on the long run is, that you can't decide what to > do based on the IP. Assume a "big" ISP is enforcing their users to use > his MTA - this MTA conforms to any RFC you can think of, it would even > have an MTAMARK. Maybe even SPF, but lousy implemented. What do you do > if you receive massive junk from there, blocking a major ISP of > Switzerland? You end up finding some nice filtering technique (so you > read all the crap mails, try to find some pattern, hoping it would not > filter any legimate mails) OR sending abuse@ a nice complaint and hope > something changes. Well, then nothing has changed vs. today. No, something has changed, you don't get spammed directly through zombies on his huge network. But chances are pretty high that this is not happening. For example other ISPs outside of Switzerland don't care and blacklist him anyway and that way he is eventually forced to clean up his thing. > My expirence is, that people start running when the get listed in > spamcop - AFAIK some "big" IPSs use this list, so you notice rather > quickly when you got listed - but I'm not sure if spamcop also > whitelists the "big" ones which would be rather sad. It's a matter of ratios. > IMHO the best thing would be if you would know that the sender is not > faked, that he/she was verified by the sending host - so you could block > the offending sender. SPF does exactly that, the only thing left is > "local forgery" - but that is rather a problem that has to be solved by > the remote ISP, that did no or weak ASMTP. MTAMARK and SPF solve two entirely different problem as I said in my original post. SPF doesn't solve the SPAM problem at all. It only prevents the forging of sender domains at the expense of some other complications for pure hosting ISPs, roaming users and hacking to make forwarding again. MTAMARK solves the zombie army problem without any special side-effects plus it makes the SPAM problem much more manageable with RBLs. In addition it has mark only valid SMTP servers of which we have way less than hosts in Switzerland. And maintaining the SMTP status of a host is in the hands of the ISP, not the domain owner. It's a simple numbers game, one million vs. a couple of thousand. In October 2002 there have been 310k active domains in the .CH zone but only 31k unique MTA's. That's 10%. If you put this number into perspective with the number of allocated IP's in Switzerland at that time (hard to tell but I guess) 900k you get IP/MTA of 3.4%. This way we would have prevented 96.6% of all IP's in Switzerland from spewing out junk with a workload of 31k entries for MTAMARK. For SPF you would have invested 310k entries plus the hassles of dealing with customers on the road and doing forwarding. MTAMARK is a good thing and solves a large problem set without any side effects. -- Andre _______________________________________________ swinog mailing list [EMAIL PROTECTED] http://lists.init7.net/cgi-bin/mailman/listinfo/swinog
