[Dshield] Users don't pay attention

Craig Webster craig at xeriom.net
Sat Aug 20 12:56:14 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forgive me if I'm not too coherent in this reply... I've read it over  
a few times but I have a cold and can't even make a cup of tea very  
effectively just now.

On 20 Aug 2005, at 03:49, Abuse wrote:
> You can still use another email server.  You just need to send your  
> email out
> from your ISPs email server.  I do this all the time, the FROM:,  
> and REPLY-TO:
> show my email address of the other email system but if you look at  
> the headers
> you can see it did not originate there.  I have been doing this for  
> years even
> though I have not been blocked, it was just convenient.

You don't have a problem with spam filters that go "wait a minute,  
the claimed from and mail origin don't match up... in fact, the from  
domain isn't mentioned at all in the received from chain... that  
looks faked?"

If I receive an email like this I'm unlikely to trust it no matter  
who the claimed sender is; it looks like it's been forged.

>> These ISPs will block the useful ports and lock you into their
>> services no problem under the guise of being the superhero of the
>> story but as you say, it's unlikely that they'll ever monitor or
>> block the vast majority of their traffic. It's simply easier to say
>> "It's the bad guys fault. Now buy our services."
> I DISAGREE loudly.
>
> I think blocking port 25 is a very good strategy as this blocks  
> most of the
> compromised computers (which is the main source of spam).  If you  
> want to run
> your own email server then set it up to relay all of your out bound  
> email
> through your ISPs email server.  You can still receive email  
> directly into your
> email server without any problems.
>
> Please explain to me why this does not work?

You're talking about using a personal local mail server within the  
ISPs network; I'm talking about using a mail server that is outside  
your ISPs network (as is common with a lot of hosting packages and  
commercial email packages). Your traffic is blocked before it gets to  
the desired server so there's no chance of relaying it back to the  
funnel server. You're stuck setting the From: and Reply-To: headers  
and as I pointed out above, some spam filters don't like that.

Blocking the port except for a filter server is a reasonable idea -  
as you say, it'll reduce exposure to the compromised nodes - but the  
end user[1] doesn't care about that They just want to send email  
through the external email account that they've payed for. They want  
to stop spam coming into their inbox and are unconcerned about the  
garbage that flows out. They're looking for an ISP that allows them  
to use the external mail server and suddenly blocking outgoing port  
25 isn't profitable for the ISP.

As the number of ISPs that do block this port get larger it's just a  
matter of time before some list is drawn up of ISP X uses mail funnel  
aa.bb.cc.dd so send all mail through there[2]. Sure, the victim will  
get their line shutdown, but only after a day or so of sending spam  
and by that time the worm has already infected several other  
computers. You could say that this is what the end user deserves for  
not keeping their computer clean but they'll just stare at you  
blankly and get an account at another ISP; one which doesn't block/ 
funnel the port.

[1] In this case I'm considering an end user to be Joe Sixpack, not a  
member of this list.

[2] There's a list of md5 collisions being compiled - why not this?  
It's a little more dynamic and a lot more profitable.

Yours,
Craig
- --
Craig Webster | e:craig at xeriom.net      | if($monkey && $beer)
Xeriom.NET    | web: http://xeriom.net/ |         $monkey->dance();


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDByhuu5vuVozw5tYRAiQMAKCA/Sk2ghcJL3Jl2vfx0RZDw9lVZgCg4dMg
dLZPv3gANzLlNeGEftiGcEo=
=y5ul
-----END PGP SIGNATURE-----


More information about the list mailing list