Re: My [Phil Karn] position on Comcastidiocy

[David Farber <dave () farber net>]

________________________________________
From: Phil Pennock [pdp () spodhuis org]
Sent: Monday, January 21, 2008 6:02 PM
To: Suresh Ramasubramanian
Cc: Phil Karn; David Farber
Subject: Re: FW: [IP] My [Phil Karn] position on Comcastidiocy

[ Other original recipient moved to Bcc in reply ]

On 2008-01-21 at 16:56 +0530, Suresh Ramasubramanian wrote:
> Either of you want to pound a bit of sense into Phil Karn be my guest

Sorry Suresh, but my views on this topic are far closer to Phil Karn's
than they are to yours.

I worked for an ISP that sold static-IP Internet service, which meant
that we provided TCP/IP and would only block that for abuse; many of our
customers were small businesses who explicitly wanted to run their own
email.  I wanted some port filtering _options_, so that we could have a
filtered/unfiltered status for accounts, start all accounts off in
"filtered" and let customers freely set their account to "unfiltered"
because that's what they were paying for.  "Filtered" would block ports
25,135,etc.  Network engineer didn't like it, despite the fact that the
ingress kit was designed to do this at line rate.

At Demon NL a couple of years ago (before being sold and shut down), we
were successfully using http://www.quarantainenet.nl/ (Dutch language)
which is using the traffic sniffing kit we already were legally obliged
to have to be permitted to run an ISP (the Dutch are into lawful
intercepts in a big way).  This let us detect various forms of abuse on
the wire and autoblock.  If memory serves fed addresses back into the
ingress routers or routers adjacent to those, so that the customer is
contained at an IP routing level to where they can only reach
pre-approved sites such as OS patch sites, anti-malware sites, etc; and
to other customers near them.  The user has access to a web-page button
saying "I've cleaned up" and they have a low finite number of times that
they can use that to get themselves out of quarantine before having to
talk to Abuse.

It's not quite what I'd been asking for a couple of years before we
bought it; I tend to be a perfectionist and had been wanting to be able
to get the "quarantined" state fed back into the ATM site of things to
change where the customer's PVC linked in, so that they would truly be
on a different network, but nobody seemed to support doing that.  The
quarantainenet solution is not perfect but it's easily good enough.  And
besides, the DSL partners have moved away from ATM before offering
ADSL2+ anyway, so my perfectionist approach would have been a dead end.
:^/

Before that, we were manually blocking customers on abuse reports or our
ad-hoc detection.  We always took the approach with customers that if
your machine wasn't under your control and was sending out malware or
spam, then your machine did not belong on the network until it was back
under your control.  The Dutch cultural attitude places more emphasis on
social responsibility than found in some other English-speaking nations,
so there was never any serious out-cry about this.  We possibly lost a
few customers, but since they were the ones who got upset at being cut
off for sending out garbage, those would be the customers who cost us
more in support and abuse staffing than they paid us, so not really a
loss.

I like the PBL run by spamhaus.org, which lets an ISP list its customer
netblocks and lets those customers punch holes in the listing for their
own netblocks.  I hope that the number of such clued xBLs doesn't grow
to the point where it's unreasonable to ask technical customers to just
register their systems.  A good way to tell clueful ISPs could be to
look to see if they auto-update the PBL for their customers when the
customer says "yes, I am knowingly using this pipe for email, please
give me the pipe I am paying for, I accept the responsibility".

I don't like just blocking port 25, since that will just move the
spammers to using the MAPI interfaces (so authenticated, etc) and
just shift the problem around.  Once the few biggest US ISPs block port
25 outbound, it will be easily less than a month before the spam volume
is back up, worse than ever as per-IP reputation scoring takes a
nose-dive.  However, there are enough people demanding port 25 blocking
that an ISP's reputation begins to suffer without it and I would,
reluctantly, include it in the list of ports filtered by default.

The worst problems for us were never the spammers who pumped large
amounts of traffic through as fast as possible.  It was the spammers who
maintained farms of machines and tricked less than 30 mails a day
through any given compromised machine, going out via the ISP smarthosts;
if I swept through the mail-queues looking for accumulated undelivered
mail per-originating-IP and detected compromised machines that way then
we would get severely joe-jobbed for a couple of weeks afterwards in
retaliation.  And this was back, oh, 2004, 2005 timeframe?

Port 25 blocking inbound as default was a nice idea back before malware
evolved to the point where finding/enabling an open relay was the
spammer's goal.

Port 25 blocking outbound is a crude hack which is a poor tactic and
abysmal strategy.  It only works today because it's not widely used and
so many spammers haven't bothered to work around it.  Sorry Suresh, but
given the network connectivity between India and spammers' main markets,
writing around your state-of-the-art filters just isn't going to be high
on the priority list for people whose business model is based on
low-hanging fruit.

Frankly, whilst port filtering _by_default_ of SMTP, NetBIOS, etc was a
decent idea for clueful ISPs, looking at the world today I think that
it's only appropriate for where there is real market competition.  Where
there's an effective monopoly/duopoly, I'm more scared by the precedent
it sets for arbitrarily redefining Internet access and allowing the
monopolies to extort money out of people to get back Internet access,
instead of "enough of the 'net that most people won't notice the
difference and won't realise what they're missing out on".

EOBRAINDUMP
-Phil

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com