Despamming wholesale dialup

Phil Howard phil at whistler.intur.net
Fri Oct 30 14:48:29 UTC 1998


Bryan Bradsby summarized:

> First Harold outlined this plan for AGIS modems rented to ISPs: 
> 
>     To address this i have proposed installing filters that will only
>     allow these folks to connect to port 25 of the ISP that has
>     bought the ports. This way they are not able to relay off of anyone
>     elses machine
> 
> Then Roeland recommended: 
> 
>     What I really suggest, and this takes some work on your part, is to
>     contact the site's admin and inform them of their open-relay status.

These are actually two separate issues:

1.  Open SMTP relays

2.  Dialup ports open to all SMTP servers

While these two issues do interact, and a perfect solution to one of them
makes the other much less of an impact, they do both need to be addressed
as distinct issues.

Making sure that the SMTP servers that a given dialup user is supposed to
use are closed for relaying (but they have to be open to this dialup user
to be able to send legitimate mail to anyone) does not solve issue #2
relative to the dialup user.  If the dialup user is a spammer using one
of the bulk mailing packages, that user will be contacting SMTP servers
other than at his ISP in order to "spread the load" and reduce his costs.

What Harold has proposed is to make sure the dialup user is only able to
use the SMTP servers of his dialup ISP.

Roeland points out that many dialup users need to access the SMTP server
of yet another provider they use, but via the dialup of the first.  This
may be required because the dialup user may be sourcing his mail from a
domain he legitimately owns, but which is not recognized by the SMTP
server of his dialup ISP.



> We do this now. When a site is blocked by our subscription to ORBS, i send
> them a nice friendly note, admin to admin. How many? A couple hundred a
> month. Some fix it promptly. Some send me a nice thank you note. Most
> don't (do either one). 

While I do block relaying through my SMTP server (you cannot send to an
unrecognized domain from an IP that resolves to an unrecognized domain)
and I do block access to SMTP servers other than my own for most dialup
users (those known to run their own valid mail servers get an exemption)

I do not block known relay SMTP sites.  I feel I do not need to do this
because I already block my dialup users from all but my own SMTP ports.
Since some spammers actually operate by direct contact to the MX server
of the intended reci... err... victim, I feel the port blocking is a
better solution than open relay blocking.  The former is easier to do
and the latter, I feel, is more difficult to do.

I also do not filter source addresses for my customers on my mail servers.
Customers of virtual web services can simply direct their outgoing mail
(the "SMTP server" hostname in most mail programs, such as Netscape
Communicator) through my SMTP server, smtp.intur.net, if they are a
dialup customer of ours.  Thus they can have their From/Reply state their
domain name, and still send e-mail to anyone on the net, including those
at places with open relays (not that I condone this).


> Then Scott reiterated:
> 
>     The problem is when the spam-bastard isn't relaying.  We've been
>    getting thousands of messages every week from spammers who buy 
>    dialup from various places, then connect directly to the 
>    destination mail server to deliver the mail.  That's what this 
>    prevents.  I don't know of any other method that does.
> 
> If all the ISPs won't do what Harold has proposed, then we have no choice
> in our own self defense, but to block port 25 from all the modems by IP
> (and open up corresponding holes for responsible SMTP servers in the same
> netblock). 

I do this by account wben I generate the RADIUS files from our database
(done when a change is detected on each 15 minute config update cycle).
Thus, I can enable the hole on a per-account, not per IP, basis.  That
keeps me from having long access lists.


> But my question is - Would responsible netops be willing to give me a list
> of their (non-relaying) SMTP servers?  

I'm curious what such a list would be used for.  Would you limit access to
just those SMTP servers?  Would that not form a rather long access list?

-- 
 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at intur.net        |  --
    -- *-----------------------------*      philh at intur.net       * --



More information about the NANOG mailing list