BGP blackholing spam [was Spammer Bust]

Alex.Bligh amb at xara.net
Sat Sep 6 12:23:31 UTC 1997


Paul,

> What this means, though, is that third party relays are no longer being given
> so much mail to deliver (by any given spammer, that is) that they come to us
> (the anti-spam crowd) screaming for anti-relay solutions such as Eric Allman's
> excellent http://www.sendmail.org/antispam.html logic.  Oh sure, the next day
> or the next week the relay will be abused again, but now that it no longer
> brings the relay (and its upstream link) to its knees, the operators of these
> relays are feeling considerably less natural pressure to turn off third party
> relaying.  Microsoft's Exchange 5.0 adds relay support and the default is ON.

Well I think you hit the nail on the head with this paragraph. Whilst
Microsoft and the standard sendmail distribution ship with realying on
by default, 95% of sites will probably relay. If this was changed (yup,
makes installation harder), 95% of sites wouldn't have relaying on by default.

Operation content follows:

paul at vix.com said:
> But be aware that blackholing people, especially on my say so, will
> lead you to get complaints from your users about unreachability, and
> complaints from other ISP's users about unreachability, and that while
> these are probably 

One of the big problems we found is that if you naively blackhole a route,
you only stop backtraffic to that destination. Some sites were sending us
so many SYN opens, that as our SYNACKs never got there, we ended up turning
a mild source of SPAM into a powerful SYN flood attack. The solution is
to (a) ensure you are running kernels capable of handling this reasonably
well, and (b) (more important) ensure that your blackholing router returns
ICMP unreachable for these nets, not simply swallows the packet. For various
reasons this is difficult to do with Cisco's without unpleasant things
like telnet <blackholed address> giving you a logon onto the router. I'll
publish the fix when we have it honed. (The unreachable should make the
kernel drop the record of the half open connection).

One particular site (something at AT&T worldnet - no compulsion about
naming them as this was so ridiculous) was sending us one open every
minute *per mail message queued* (i.e. they were running with -q1m). This
is seriously clueless. We spent the best part of a half a day's engineering
time trying to get through to a clueful person there. Evenetually we
got through to the person allegedly running the server who had no idea
how or why it had been set up like that, but didn't want to change it,
or disable relaying. So now they are in the appropriate access list
deny in the relevant border router even for incoming packets. No complaints
yet.

Alex Bligh
Xara Networks






More information about the NANOG mailing list