Home page logo

nanog logo nanog mailing list archives

Re: Stealth Blocking
From: dlr () bungi com (Dave Rand)
Date: Thu, 24 May 2001 10:16:36 PDT

[In the message entitled "Re: Stealth Blocking" on May 24,  9:46, "Eric A. Hall" writes:]

Returning to operational traffic:

One thing that I think *will* help, particularly in the short term, is
port 25 blocking of dialup ports.  It's my personal opinion that this
will have the greatest impact on spammers who abuse open relays.  I've
watched this happen over the last few months, as various large networks
have secured their dialup ports.  It's impressive.

TCP rate-limiting on outbound traffic to *:25 would also be extremely
effective, particularly on unclassified customer traffic, and without the
heavy-handed nature of denying all dial-up traffic. Rate-limiting doesn't
interfere with low-volume legitimate mail, but it really cramps spam.

I'm not sure how effective rate limiting will be.  Many spammers send one
copy of the spam to an open relay, but use many (2 to 50) recipients.
I'm unaware of a product that could limit (say) based on the number of
connections from a given dialup port.  Also, based on several providers
information, one dialup account is being used by several, or many,
spammer's machines at the same time, so even a per-IP port limit
wouldn't have as much effect as you might think.

One other way to do this might be to do port 25 blocking on new customers,
but allow customers to get unblocked on request after they have been around
a while...  Isn't that the approach that AT&T used, to great success?

It's also interesting to note that at least one dialup reseller actively
markets to spammers, and attempts to negotiate unblocked dialups with the
various providers.  


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]