Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
joelja at bogus.com
Mon Jun 23 22:47:17 CDT 2008
Frank Bulk - iNAME wrote:
> Right, port 587 would require SMTP authentication.
> I'm no routing expert, but can tens of thousands of /32s be excluded using
> BGP communities?
The sort of depends on how many fib entries you want to burn on not
the argument in this thread however (which I more or less subcribe to)
is that in the future an ip address is insufficient granularity for mail
/badness filtering. Frankly it's not just computer clouds but also
address pressure, a million hosts behind a /24 are going to be rather
hard to pick out one at a time. ultimately the ability blackhole based
on something as gross as the source ip address is going to be
insufficiently fine grained for devices that must accept connections
from the internet at large.
> I don't know if spammers are going to be using TLS in a big way soon, though
> I'll admit I've not measured.
A couple years ago, when my former employer turned on tls support on the
outwardly facing mta's about 10% of our incoming smtp connections
immediately started using it after ehlo. That's not something I've kept
track of but I imagine it's an issue.
> As long TLS usage is low, examining TCP port
> 25 traffic would likely be effective without redirecting SMTP traffic and
> making it effective for all customers downstream.
> -----Original Message-----
> From: Joel Jaeggli [mailto:joelja at bogus.com]
> Sent: Monday, June 23, 2008 4:06 PM
> To: frnkblk at iname.com
> Cc: nanog at merit.edu
> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
> reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
> Frank Bulk wrote:
>> Thanks. Even with TLS, the destination port (either 25 or 365) is
>> well-known, right, as is the source IP?
> And 587 though that's generally your customers, who are going authenticate.
>> At the minimum RBLs could be used
>> for that encrypted traffic.
> Yeah, given that that point you're basically filtering by ip again, you
> can do that with a bgp community. That's not really smtp filtering anymore.
>> -----Original Message-----
>> From: Joel Jaeggli [mailto:joelja at bogus.com]
>> Sent: Monday, June 23, 2008 2:20 PM
>> To: frnkblk at iname.com
>> Cc: nanog at merit.edu
>> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
>> reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
>> dpi boxes from a number of vendors can do that sort of thing... whether
>> they can do it fast enough to be inline with your compute cloud is
>> another question entirely.
>> That said the result is fairly perilous when rejecting a message
>> involves forging packets. and of course tls supporting mta's will be
>> opaque to the network traffic inspecting device.
More information about the NANOG