[Dshield] Need some help testing

Wed Jul 11 04:25:30 GMT 2007

Tomas L. Byrnes skrev, on 10-07-2007 17:03:

> If I am to sum up the attitudes of those who like blocking static
> "dynamic" addresses it is:
> 
> Only businesses (or people willing to pay for business service) should
> have their own mail relays.

Actually, as mailadmin for a domain with 1500+ users my own need is to 
block as much of the rubbish being offered to many of said users as 
possible.

I started with a lax policy and tightened the garrote gradually, turn by 
turn, until the point that we are refusing almost as much 
rubbish/malware before smtp conversation as we are receiving genuine mail.

I don't just block net ranges that ISPs have given to the DNSBLs that I 
use, I use a range of other anti-rubbish blocks that Postfix allows me, 
finished up by the finest anti-spam/AV software I could find. Balancing 
rejection of rubbish/malware with rejection of the genuine stuff is a 
fine art.

I'm not blocking dynamic addresses as a draconian measure (i.e. "no 
dynamic addresses should be allowed to send Internet mail"), but because 
experience (over the years) has shown that most bots are on these 
addresses and it's from these addresses we get most rubbish.

That notwithstanding, I block a lot of static addresses too, Spamhaus 
and my own blacklist sorts most of that out.

The real problem with the denigration of the services offered by the 
original DARPA concept is the misuse of them by baddies. I'm afraid that 
everyone has to suffer for this. My own home ISP, Het Net (Planet 
Internet, KPN in Holland) has blocked all port 25 traffic at its border 
routers except to and from its own MTAs. I run my own (home) MTA and 
have to suffer because of others' misdemeanors and was highly piqued 
when said ISP began with this policy. But then again, I get piqued 
whenever I get a speeding ticket. Both limits have been adopted because 
of peoples' irresponsibility.

Best,

--Tonni

> I don't even know where to start with that one. It is a symptom of
> exactly what has gone wrong with the Internet since the telcos became a
> major force in it: a return to the hierarchical idea of the PSTN that
> the Internet beat hands down, precisely because of its decentralized,
> fundamentally peer to peer, anyone can experiment, nature.
> 
> It fundamentally breaks the architecture of the Internet as a peer to
> peer system, forces people to use entities they may not trust, in many
> cases validly (given the warrantless wiretapping that has been going on,
> to say nothing of the common practice in parts of the world with little
> respect for human rights), for mail relay services, and drastically
> reduces anyone's ability to test and prototype anything using filtered
> protocols. 
> 
> It's also pretty high-handed on anyone's part to call an IP address that
> they know may well actually be static, "dynamic".
> 
> Sure this approach reduces SPAM, so would only white listing MTAs you
> actually trusted. Both do it for the same reason: they deny connections
> from the vast majority of the IPV4 space.
> 
> You may consider that a valid approach, and if you have a small number
> of users, who either don't know what they are not getting, or don't
> particularly care, then the denial of service you are instituting may
> not matter. Effectively, what you are doing is denying all except a
> pretty well-defined set of addresses that should be "good", and then
> filtering that for the addresses that may have had a bad actor on them
> at some time in the past, and then white listing when someone complains.
> Effectively, you're building a small subset of the Internet as a SMTP
> closed user group.
> 
> For larger networks, especially ones with lots of entropy in their
> legitimate peers, this approach is suspect, IMO.

-- 
Tony Earnshaw
Email: tonni at hetnet dot nl