nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

From: "Jeroen Massar" <jeroen () unfix org>
Date: Mon, 26 Aug 2002 21:43:07 +0200

Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] wrote:


On Mon, 26 Aug 2002 21:12:40 +0200, Jeroen Massar 
<jeroen () unfix org>  said:

IMHO, Paul's idea is quite a good one, but all servers will need to

be

upgraded, and all dns entries installed.


Given the number of providers who seem to think ingress and/or rfc1918
filtering shouldn't be done, what makes you think that "all servers"
will be upgraded to support THIS proposal?


Read my sentence again, because I really won't see everybody install/use
it.
One can also simply see so by the problems related to the fact of
installing security updates.
Some 'companies' and individuals are simply too sleezy/lousy or whatever
to do it.
And thus open spam relays will be kept alive which is why there are
RBL's.

This will only help a bit, and tools like SpamAssasin/Razor will keep a
load of stuff of your servers.
But unfortunatly one will never be able to block it all.


(If you don't want to re-start the RFC1918 war, feel free to 
substitute ANY OTHER thing that most people think is a Good Thing, but

we've 

seen some sizable minority not deploy for reasons they consider 
perfectly valid).


8<-----------
RESERVED="0.0.0.0/7 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 23.0.0.0/8 27.0.0.0/8
\
        31.0.0.0/8 72.0.0.0/5 96.0.0.0/3 \
        128.66.0.0/16 191.255.0.0/16 \
        197.0.0.0/8 201.0.0.0/8 224.0.0.0/3 240.0.0.0/8"
MISC="127.0.0.0/8 128.0.0.0/16 169.254.0.0/16"
RFC1918="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

# Setup block against reserved, rfc1918 and other nets
for i in ${RESERVED} ${MISC} ${RFC1918}; do
        RULE -A INPUT -i ${IF} -s ${i} -j LDROP
        RULE -A OUTPUT -o ${IF} -d ${i} -j LDROP
done

---------->8
In the filtering language you want, and yes one sees a load of crap in
your logs...
There is a way of making people apply rules though:
depeer/disconnect/...
Unfortunatly one can't easily do that to a party far far away, thus one
blocks at their end (spamassasin/razor and IP based rules)..

Making it harder to get into your house is better than putting the doors
wide open...
Every bit helps...

Greets,
 Jeroen
Previous By Date Next
Previous By Thread Next

Current thread: