Re: a proposal --the idiots at comcast suddenly started

[David Farber <dave () farber net>]

________________________________________
From: Andrew Burnette [acb () acb net]
Sent: Friday, January 18, 2008 2:28 AM
To: David Farber
Subject: Re: [IP] a proposal --the idiots at comcast suddenly started

Dave,

Of course, all more expensive than a port block.  Even comcast's own
mail servers fall under the "mail.domainname.com" attack of numerous
bots. (many simply attempt to connect to mail.xyz.com, where xyz.com is
the local domain name in DNS. Remove that name from your DNS records and
you'll cut problems a lot).

Or should they simply lock down all bots on their network. No, as that
would make them the responsible customer care to lead the unwashed
masses of infected windows users through a series of disinfection
programs and sequences. No fun, not to mention, expensive. Customer care
is more expensive than delivering the bandwidth in many networks,
particularly in bulk consumer products.

comcast's address space belongs in black hole lists. Sorry, but the
noise to signal ratio is far greater than 100:1 coming from those
blocks, along with many other consumer providers.

To wit: my own mail server, no RBL's, 6000-8000 connections and email
delivery attempts each day. 95% of those are 'unwanted garbage' and pin
both memory and cpu at 100% trying to filter out spam for a dozen
domains, on a decent server.

add the RBL's in, and the number cuts to under 1000 per day. Only 1/2
need significant processing (which in practice is < 10% of the non RBL
solution).

SMTP over SSL/TLS (port 465) and message submission protocol (port 587)
both get past the blocks, and most mail servers support such
configurations, not to mention protect the privacy of the content from
casual intercept. If yours doesn't, pester your aya admin for minimally
better services, as it is often simply a checkbox on a config page.

The math and economics simply don't favor content based filtering, nor
do they mitigate the need to block consumer connections from directly
sending email.

Sorry, but that's the reality.  Due to spam and spam alone, I now run a
dual processor machine, u320 scsi hard drives, and a couple gigs of ram.
Before the onslaught, a single athlon 550 and 256megs of ram handled the
same volume of email.  Cost ne a couple grand $$ in hardware to deal
with other's problems. "not fair" as life isn't or so they say.

Good supplemental ways to slow the flow:
1- delay helo of your inbound mailserver to 40 seconds. Most bots give
up at 30 seconds
2- of course, require authentication
3- carefully select your RBL's
4- enable SSL and MSP on your mail server. nearly all MTA's include it,
or can easily integrate the function
5- employ reverse dns lookups. Annoying yes, but it cuts a fair number
of connections
6- block bogons/rfc1918 space and the like from sending email.

Cheers
andy burnette

David Farber wrote:
> ________________________________________
> From: Gordon Peterson [gep2 () terabites com]
> Sent: Thursday, January 17, 2008 9:48 PM
> To: David Farber
> Subject: Re: [IP] the idiots at comcast suddenly started
>
> Of course, their INTENTION is to try to force everybody sending mail to
> go through THEIR mail servers, in an attempt to throttle/control spam
> transmission (especially the zombie spambot problem).
>
> I agree with you that this kind of garbage is exceedingly annoying.
>
> It would be FAR better to make a better and more effective arrangement
> for spam blocking, such that unsolicited/deceptive/unwanted/malicious
> E-mail would have a vanishingly small likelihood of ever being read...
> to the point where spamming would not be economically attractive to the
> perpetrators.
>
> I believe that a fairly simple policy would achieve that... based on a
> fine-grained whitelist and default ruleset:
>
>    BY DEFAULT, incoming E-mails would be accepted for further processing
> if they:
>
>      1.  Do not use HTML.
>      2.  Do not contain attachments.
>      3.  Are less than some specified size (25K, 50K, maybe 100K).
>
>    Mail messages passing those criteria would be filtered through a good
> antispam content filter (Spam Assassin or similar).  Once HTML and
> attachments are removed from the mix, antispam filters can do a very
> effective job....!
>
>    Mail recipients could agree to accept more fully-featured E-mail on a
> sender-by-sender basis, perhaps including additional sender-based tests
> (newsletters that always have a predictable masthead at the top or sig
> file at the bottom, for example).
>
>    Eliminating HTML would eliminate active content (ActiveX, scripting),
> misrepresented "phishing" links, and other ruses used to evade antispam
> content filters.
>
>    Eliminating attachments would eliminate executable attachments,
> viruses/worms, text-as-image, and other mail content that is either
> dangerous or (also) used to evade antispam content filtering.
>
>    Limiting E-mail size just basically helps prevent having a
> recipient's inbox perhaps filled up by someone they don't know.
>
>    ONCE INITIAL E-MAIL CONTACT WITH A GIVEN SENDER HAS BEEN ESTABLISHED,
> there would be a fine-grained whitelist at the RECIPIENT end allowing
> that sender to send that recipient any kind of mail the recipient agrees
> to accept from that sender... presuming that it "looks like" mail from
> that sender is expected to look.
>
>    The fact that most recipients would not authorize ANYBODY to send
> them executables would virtually eliminate E-mail as a (direct, at
> least) propagation vector for viruses, worms, and other malicious
> content that typically results in zombie spambot recruitment.
> Eliminating clickable links in E-mail from unknown parties would help
> prevent "blind" links which look deceptively like a link from their
> bank, www.paypal.com or whatever but which actually goes invisibly to
> some rogue server in Romania, China, or elsewhere.
>
> Putting a crimp in spambot zombie recruitment, of course, would be a
> major step towards making it not look like such a good idea for ISPs to
> try things like port 25 blocking.
>
> But I think we need to put a MAJOR crimp in the inherently unwise
> (though widespread) perception that anybody can send just anybody e-mail
> messages containing (possibly misrepresented) links, active content,
> arbitrary attachments, and so forth and expect it to be delivered and
> opened.  We will NEVER solve the spam problem until we overcome that
> root problem.
>
> David Farber wrote:
> > to block port 25 in Pittsburgh, No notice and  no reason
> >
> > Of course i worked around it but DAMN idiots NO NOTICE
>
>
> -------------------------------------------
> Archives: http://v2.listbox.com/member/archive/247/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com