- Verizon blocks European email by default.

[David Farber <dave () farber net>]

------ Forwarded Message
From: Rich Kulawiec <rsk () gsp org>
Date: Thu, 20 Jan 2005 10:46:31 -0500
To: "David E. Young" <david.e.young () verizon com>
Cc: Richard Forno <rforno () infowarrior org>, "Trei, Peter"
<ptrei () rsasecurity com>, Dave Farber <dave () farber net>, "Jonathan S.
Shapiro" <shap () eros-os org>, Gunnar Helliesen <gunnar () bitcon no>
Subject: Re: [infowarrior] - Verizon blocks European email by default.


[ David @ Verizon -- you're the lucky ;-) recipient of this (a) because
I noted your message on the IP list and (b) your title gives me some hope
that you might be in a position to do something about this. ]

> US ISP Verizon is persisting with a controversial policy of
> blocking email sent from Europe. Since 22 December, mail
> servers at verizon.net have been configured not to accept
> connections from Europe by default.

First off, blocking mail from large chunks of European IP space is silly.
If you're going to block entire countries -- and lots of people,
including me, do that to varying degrees on some of our servers --
then it makes sense to start with those countries from which the ratio
of spam:non-spam as seen on that server is highest -- and no European
country is likely to be on that list.  (Which are?  Korea, China, US.
I block the first two on some servers, but I can't block the latter
because those servers are *in* the US.  But I sure would if I could.)

Second, it's especially silly considering that Verizon itself is a much
larger source of spam than many of the ISPs it's blocked.  I'll point
to xs4all (Netherlands) and spin.it (Italy) as two examples of ISPs
which have good track records when it comes to dealing with outbound
spam -- far better than Verizon's.  (It's probably not an accident
that personnel involved with both are regular participants on Spam-L
and have worked very hard to keep their own networks clean.)

And third, this isn't Verizon's only controversial, and -- in my
opinion -- silly -- "anti-spam" practice.  Verizon is also doing
something else which is:

 (a) ineffective
 (b) readily gamed
 (c) lends itself to DoS and DDoS attacks
 (d) provides a free, anonymizing spam support service

And it really should stop, especially because of (c) and (d).

What Verizon is doing is known as a "callback".  This technique comes
from people who have confused "spam" and "forgery" and are operating
under the mistaken notion that doing something about the latter will
have any substantial impact on the former.

It works like this:

When an incoming SMTP connection is made to one of Verizon's MX's,
they allow it to proceed until the putative sender is specified,
i.e., they wait for this part of the SMTP transaction:

 MAIL From:<blah () example com>

Then they pause the incoming connection.  And then they start up an
*outbound* SMTP connection from somewhere else on Verizon's network,
back to one of the MX's for example.com.  They then attempt to verify
that "blah" is a valid, deliverable address there.  But since most
people have long since (sensibly) disabled SMTP VRFY, they actually
construct a message and attempt delivery with RCPT.  If delivery looks
like it's going to succeed, they hang up this connection (which is rude),
and un-pause the incoming one, and allow it to proceed.  If delivery
looks like it's going to fail, then they also hang up the connection
(still rude), un-pause the incoming one, and reject the traffic.

In other words, Verizon is faking mail -- thus generating yet more junk SMTP
traffic at a time when we're drowning in junk SMTP traffic -- to do this.

This also means that if the MX they try to connect to is (a) busy
(b) down (c) unaware of all the deliverable addresses (d) something
else, that they'll refuse the incoming message.

Whoops.

Real-world example: "support () thuleracks com" is where mail from the support
staff at Thule Racks comes from.   However, it doesn't accept mail -- which
is arguably a bad practice on Thule's part, but is not a good reason for
Verizon to aggravate the problem by rejecting it.

This technique (callbacks) is bad for a whole bunch of reasons: two of the
more
obvious ones are (1) it's a pathetic "anti-spam" measure because ANY forged
address ANYWHERE will do, and (2) it doesn't scale -- it fails the "what if
everyone did this?" test miserably.  (Not clear?  Consider what happens when
site A, doing callbacks, sends mail to site B, doing callbacks.  Now
multiply
by 1,000,000.  Now toss in a few billion spam messages.)

Add to that (3) it abuses RCPT because apparently Verizon is unwilling to
use VRFY and to accept the decision of many/most mail server operators to
disable it.  Oh, and (4) the behavior of their probe systems is nearly
indistinguishable from that of spam-spewing zombies, which don't obey the
SMTP protocol either, and also rudely hang up connections in
mid-transaction.

But there's a not-so-obvious reason that this goes beyond merely a bad
idea and into the realm of active support for spammers.

A lot of people, including me, are blocking particularly problematic
spammer-controlled networks at (a) our border routers (b) our firewalls
or (c) our mail servers.  In other words, we not only won't accept mail
from them, we won't even allow them to connect: we're blocking *all* IP
traffic from them.  This prevents them from spamming; it also prevents
them from building lists of deliverable addresses to sell to other spammers
by poking at our mail servers.  (See http://www.spamhaus.org/DROP/ for
a list of network blocks that everyone should strongly consider blocking.)

Now go back and look at what Verizon's doing.  Since Verizon is doing
this probing *from their network*, spammers can easily get around
our blocking by getting Verizon to do the probing for them.  For free.
Anonymously.  They can thus use Verizon to build/check their lists...and
there's no way for us to find out who's on the other side of these probes.

Which means that Verizon is running a free, anonymizing, spam support
service.

(And there are additional problems involving rate-limiting (or not),
caching (or not), use of the callback mechanism to delay non-spam
traffic, and callback-related exploits that can be used to game the
mail servers of those running them -- again, see the Spam-L archives
for full analysis.)

Oh, Verizon's been told: one of their people was on the Spam-L list where
this was discussed in considerable depth. But AFAIK, he doesn't work
there any more; nobody else from Verizon has shown up; and attempts to
contact a real live clueful human there via the designated RFC 2142
contacts ("postmaster", "abuse") have run into a brick wall.

Hence this message, which I hope will get the attention of someone at
Verizon in a position to put a stop to this nonsense and do something
substantive -- not only about stopping spam inbound to Verizon, but
far more importantly to the rest of the Internet, stopping spam/abuse
*outbound* from Verizon -- including callbacks.

---Rsk

------ End of Forwarded Message


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/