ingress SMTP

Tim Sanderson tims at donet.com
Wed Sep 3 10:52:48 CDT 2008


Anybody not wanting to use their ISP email would notice it. I see filtering 25 FROM the customer as something that is not likely to happen because of this. When a customer buys bandwidth, they want to be able to use it for whatever they choose. This would be just one more restriction giving competitive advantage to any ISP not doing the filtering.

--
Tim Sanderson, network administrator
tims at donet.com

-----Original Message-----
From: *Hobbit* [mailto:hobbit at avian.org]
Sent: Wednesday, September 03, 2008 11:16 AM
To: nanog at nanog.org
Subject: ingress SMTP

I've been blackholing NANOG mail for a while due to other things
displacing the time I'd need to read it, so I might be a little out
of touch on this, but I did grovel through some of the archives
looking for any discussion on this before posting.  Didn't find a
really coherent answer yet.

What I'm trying to get a feel for is this: what proportion of edge
customers have a genuine NEED to send direct SMTP traffic to TCP 25
at arbitrary destinations?  I'm thinking mostly of cable-modem and
DSL/fiber swamps, dialup pools [do they even exist anymore?], and
other clouds basically containing end-users rather than the more
"bidirectional" business-class customers.

The big providers -- comcast, verizon, RR, charter, bellsouth, etc --
seem to be some of the most significant sources of spam and malware
attempts, mostly from compromised end-user machines, and it seems
that simply denying *INGRESS* of TCP 25 traffic except to the given
ISP's outbound relay servers would cut an awful lot of it off at the
pass.  Decent anti-header-spoofing configuration on said mailservers
would take care of even more.  I realize this might be a total
hot-button but I'm not talking about filtering TOWARD customers, I'm
talking about filtering FROM them, upstream -- possibly less often
discussed.  And only SMTP.  Not censorship, just a simple technical
policy that the vast majority of customers wouldn't even notice.

I've got a paper out about this that was put together quite a
while ago, in fact:

  http://www.usenix.org/publications/login/2005-10/openpdfs/hobbit.pdf

I can weigh the decision to trust a PTR lookup, but most of the big
players seem to have their inverse DNS automated fairly well which
helps such little hacks work.  But really, I'd like to see more done
at the SOURCE of the problem, which should be as simple as two ACL
lines dropped into some edge routers.

What is preventing this from being an operational no-brainer,
including making a few exceptions for customers that prove they know
how to lock down their own mail infrastructure?

And why do the largest players seem to have the least clue about it?

_H*





More information about the NANOG mailing list