smtp CAR (another use for CAR)

Jared Mauch jared at puck.Nether.net
Fri Jun 25 19:07:44 UTC 1999


On Fri, Jun 25, 1999 at 03:01:00PM -0400, Daniel Senie wrote:
> Jared Mauch wrote:
> > 
> >         This has been my great use for CAR (since icmp, etc.. CAR'ing)..
> > 
> >         If you are a dialup provider (or have dial ports), and CAR
> > smtp from those networks down to 8kb/sec across your entire network
> > to your upstreams, etc.. that are not going to your smtp server(s),
> > or people you share dial pools with smtp servers, you can reduce the amount
> > of third party relaying that occurs in your network.
> 
> Those who implement this should also advertise this policy, as with any
> restrictive policy. That way, folks who rely on services you're
> throttling to death can avoid your networks.

	I'm only using this on our dialup pools, not the rest of our
network space, so we don't affect any dedicated customers.  This obviously
means I have to maintain the access-list.

> >         We've had great success with it here, as we had someone
> > (ab)using our online signup by signing up at 3am, dialing in, then
> > sending a few hundreds of thousands of third-party relay spam messages.
> > 
> >         What I did:
> > 
> > rate-limit output access-group 163 8000 8000 8000 conform-action set-prec-transmit 7 exceed-action drop
> > 
> >         on our upstream links, where acl 163 was a many line acl including
> > all our dialup pools.
> > 
> >     permit tcp 10.10.10.0 0.0.0.127 any eq smtp
> > 
> >         etc..
> > 
> >         You'll find you get matches against the access-list
> > for people using remote servers, but if you get complaints,
> > tell them to use your mail server..
> > 
> >         We use this as an alternative (currently) to the per-port
> > filters you can stick into dialup NASes for restricting smtp
> > to a set of a few servers, etc..
> 
> Nice denial of service for the rest of your customers. You just need one
> spammer doing their thing in the middle of the night, and any person
> with a legitimate reason to be using a remote SMTP server is screwed.
> Very sweet.

	They're not screwed, it'll work, but not fast.

	If I wanted to deny it, I can build the appropriate ACL for
that.

	I've not heard a single complaint from a customer, and
our spam complaints have gone down that our abuse group deals with.

	It's an alternative to just totally denying remote smtp, and 
allows us to track the people and shut them off and track them, etc.. so
we can hand their info off to people who want to sue for theft of service.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
             |           "Waste Management Consultant"




More information about the NANOG mailing list