Interesting People mailing list archives
Re: My [Phil Karn] position on Comcastidiocy
From: David Farber <dave () farber net>
Date: Mon, 21 Jan 2008 17:00:37 -0800
________________________________________ From: Phil Pennock [pdp () spodhuis org] Sent: Monday, January 21, 2008 6:02 PM To: Suresh Ramasubramanian Cc: Phil Karn; David Farber Subject: Re: FW: [IP] My [Phil Karn] position on Comcastidiocy [ Other original recipient moved to Bcc in reply ] On 2008-01-21 at 16:56 +0530, Suresh Ramasubramanian wrote:
Either of you want to pound a bit of sense into Phil Karn be my guest
Sorry Suresh, but my views on this topic are far closer to Phil Karn's than they are to yours. I worked for an ISP that sold static-IP Internet service, which meant that we provided TCP/IP and would only block that for abuse; many of our customers were small businesses who explicitly wanted to run their own email. I wanted some port filtering _options_, so that we could have a filtered/unfiltered status for accounts, start all accounts off in "filtered" and let customers freely set their account to "unfiltered" because that's what they were paying for. "Filtered" would block ports 25,135,etc. Network engineer didn't like it, despite the fact that the ingress kit was designed to do this at line rate. At Demon NL a couple of years ago (before being sold and shut down), we were successfully using http://www.quarantainenet.nl/ (Dutch language) which is using the traffic sniffing kit we already were legally obliged to have to be permitted to run an ISP (the Dutch are into lawful intercepts in a big way). This let us detect various forms of abuse on the wire and autoblock. If memory serves fed addresses back into the ingress routers or routers adjacent to those, so that the customer is contained at an IP routing level to where they can only reach pre-approved sites such as OS patch sites, anti-malware sites, etc; and to other customers near them. The user has access to a web-page button saying "I've cleaned up" and they have a low finite number of times that they can use that to get themselves out of quarantine before having to talk to Abuse. It's not quite what I'd been asking for a couple of years before we bought it; I tend to be a perfectionist and had been wanting to be able to get the "quarantined" state fed back into the ATM site of things to change where the customer's PVC linked in, so that they would truly be on a different network, but nobody seemed to support doing that. The quarantainenet solution is not perfect but it's easily good enough. And besides, the DSL partners have moved away from ATM before offering ADSL2+ anyway, so my perfectionist approach would have been a dead end. :^/ Before that, we were manually blocking customers on abuse reports or our ad-hoc detection. We always took the approach with customers that if your machine wasn't under your control and was sending out malware or spam, then your machine did not belong on the network until it was back under your control. The Dutch cultural attitude places more emphasis on social responsibility than found in some other English-speaking nations, so there was never any serious out-cry about this. We possibly lost a few customers, but since they were the ones who got upset at being cut off for sending out garbage, those would be the customers who cost us more in support and abuse staffing than they paid us, so not really a loss. I like the PBL run by spamhaus.org, which lets an ISP list its customer netblocks and lets those customers punch holes in the listing for their own netblocks. I hope that the number of such clued xBLs doesn't grow to the point where it's unreasonable to ask technical customers to just register their systems. A good way to tell clueful ISPs could be to look to see if they auto-update the PBL for their customers when the customer says "yes, I am knowingly using this pipe for email, please give me the pipe I am paying for, I accept the responsibility". I don't like just blocking port 25, since that will just move the spammers to using the MAPI interfaces (so authenticated, etc) and just shift the problem around. Once the few biggest US ISPs block port 25 outbound, it will be easily less than a month before the spam volume is back up, worse than ever as per-IP reputation scoring takes a nose-dive. However, there are enough people demanding port 25 blocking that an ISP's reputation begins to suffer without it and I would, reluctantly, include it in the list of ports filtered by default. The worst problems for us were never the spammers who pumped large amounts of traffic through as fast as possible. It was the spammers who maintained farms of machines and tricked less than 30 mails a day through any given compromised machine, going out via the ISP smarthosts; if I swept through the mail-queues looking for accumulated undelivered mail per-originating-IP and detected compromised machines that way then we would get severely joe-jobbed for a couple of weeks afterwards in retaliation. And this was back, oh, 2004, 2005 timeframe? Port 25 blocking inbound as default was a nice idea back before malware evolved to the point where finding/enabling an open relay was the spammer's goal. Port 25 blocking outbound is a crude hack which is a poor tactic and abysmal strategy. It only works today because it's not widely used and so many spammers haven't bothered to work around it. Sorry Suresh, but given the network connectivity between India and spammers' main markets, writing around your state-of-the-art filters just isn't going to be high on the priority list for people whose business model is based on low-hanging fruit. Frankly, whilst port filtering _by_default_ of SMTP, NetBIOS, etc was a decent idea for clueful ISPs, looking at the world today I think that it's only appropriate for where there is real market competition. Where there's an effective monopoly/duopoly, I'm more scared by the precedent it sets for arbitrarily redefining Internet access and allowing the monopolies to extort money out of people to get back Internet access, instead of "enough of the 'net that most people won't notice the difference and won't realise what they're missing out on". EOBRAINDUMP -Phil ------------------------------------------- Archives: http://v2.listbox.com/member/archive/247/=now RSS Feed: http://v2.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- My [Phil Karn] position on Comcastidiocy David Farber (Jan 20)
- <Possible follow-ups>
- Re: My [Phil Karn] position on Comcastidiocy David Farber (Jan 20)
- Re: My [Phil Karn] position on Comcastidiocy David Farber (Jan 21)
- Re: My [Phil Karn] position on Comcastidiocy David Farber (Jan 21)
- Re: My [Phil Karn] position on Comcastidiocy David Farber (Jan 21)
- Re: My [Phil Karn] position on Comcastidiocy David Farber (Jan 22)