nanog mailing list archives
Re: botted hosts
From: Dean Anderson <dean () av8 com>
Date: Mon, 4 Apr 2005 16:12:51 -0400 (EDT)
On Sun, 3 Apr 2005, Dave Rand wrote:
[In the message entitled "botted hosts" on Apr 3, 19:13, Petri Helenius writes:]I run some summaries about spam-sources by country, AS and containing BGP route. These are from a smallish set of servers whole March aggregated. Percentage indicates incidents out of total. Conclusion is that blocking 25 inbound from a handful of prefixes would stop >10% of spam.This would be correct. In the bigger perspective, blocking port 25 on all ISP's consumer circuits would currently stop over 99% of the spam. Yes, spammers would adjust to this over time. It is still a great idea to block port 25 by default, and unblock it on customer request.
It would probably stop 99% of ALL email, too. What, your customers don't have email servers? But __you__ have an email server. Unblocking on customer request is an expensive operation, for both the ISP and the customer.
That means that if just the ISPs that we have identified as having "dynamically assigned" addresses were to install port 25 blocking, more than 1/3 of the spam would vanish.
Err, not likely. SPF came out, and now bots can find the ISPs "closed relays" with very little trouble at all. (Funny coincidence that SPF should come out just as the open relay blacklists are mostly closing down) But even without SPF, if it was really made necessary, without doubt abusers would include code to figure out the config files for the roughly 1000+ email clients out there. Or perhaps, bots would start to sniff packets looking for an outgoing SMTP connection by an authorized user. For many years I've told people (but they never seem to listen): __Everyone__ is authorized to send email, and to have relay services, right up until their access is terminated. Bots can use that. Schemes for blocking port 25 assume that bots aren't upgradeable. And they frequently assume that network operations changes are free---Comcast reported that it would cost $58 million to implement port 25 blocking and notify customers, just for Comcast. On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. I'll write it up a bit more formally, and post a link. (And I'll see if I can carry it out to a proof) To summarize, I show that spam is equivalent to a covert/sneaky channel [or rather, "sneaky channel" in the network liturature and other names in other areas of liturature--e.g. "covert channel" is usually specific to multi-user OS analysis, but the concepts are the same]. Then I show that since one can't prove an information system is free of covert/sneaky channels, it can't be proven free of spam either. And the conclusion is that a technical solution to spam doesn't exist. Yes, there are things that can still be done---one can continue to play whack-a-mole, but it never gets better than whack-a-mole. There are still technical methods that aren't fully exploited (text analysis for intent, bayesian, etc) but for each of these things, there are countermeasures that the abuser can do to fool them. If you want to talk information theory and spam, contact me off-list. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Current thread:
- Re: The power of default configurations, (continued)
- Re: The power of default configurations Eric A. Hall (Apr 07)
- Re: The power of default configurations Jon Lewis (Apr 07)
- Re: The power of default configurations Eric A. Hall (Apr 07)
- Re: The power of default configurations Jon Lewis (Apr 07)
- Re: The power of default configurations Eric A. Hall (Apr 07)
- Re: The power of default configurations just me (Apr 08)
- Re: The power of default configurations Eric A. Hall (Apr 08)
- Re: The power of default configurations Mark Andrews (Apr 06)
- Message not available
- Re: botted hosts John Dupuy (Apr 04)
- Message not available
- Re: botted hosts John Dupuy (Apr 04)
- Re: botted hosts Valdis . Kletnieks (Apr 04)
- Re: botted hosts Christopher L. Morrow (Apr 04)
- Re: botted hosts Dean Anderson (Apr 05)
- Re: botted hosts Simon Waters (Apr 05)
- Re: botted hosts Dean Anderson (Apr 05)