short Botnet list and Cashing in on DoS

Sat Oct 9 19:45:58 UTC 2004

i was recently chastised for posting non-operational content to nanog, and
so, while i am willing to beat the drum for source address validation, i'm
very concerned about commenting further in what has to be the 40th or 50th
version of this thread in the last ten years.  with trepidation, then:

> > there are many ways of sending spam that dont use port 25..
> 
> True, but reducing spam from millions to thousands seems like something
> good, no?

no.  (thanks for asking.)  that's not good.  network abuse is a very strong
economic force -- whether it's spam, ddos-for-hire, or whatever.  blocking
port 25 will make legitimate smtp permanently hard to use, while making non-
legitimate smtp temporarily hard to use.  if i learned anything at MAPS, it
was that taking actions which merely harden, toughen, and educate spammers
is counter-productive.  good counteractivity must be recombinant, not just
reactive.  short term effectiveness is completely irrelevant, and not "good."

> > individual rules are costly to implement and users wont use a service
> > where you have to pay more for basic services
> 
> Several big ISP's are blocking port 25 now. I believe this will catch.

had this been done in 1998 when the anti-spam community first warned about
it, then a lot of good could have been done.  but network abuse takes many
more forms than smtp delivery now.  stopping outbound tcp/25 won't make any
notable difference to a network's support costs, by the end of the year.  on
the other hand, source address validation would make a notable difference in
support costs, by the end of the first quarter after it was deployed.

> It limits the amount of junk coming out from their users, and the usage of
> their tubes.

no.  blocking outbound tcp/25 would not have that effect.  doing BCP38 would.

> I doubt even 0.001% of dynamic range Cable/DSL users will ever call to ask
> for port 25 to be opened.
> 
> This is something ISP's can implement, and it works.

if you define "works" very narrowly, perhaps as "causes the next wave of
abuse coming from your network to not be in the form of outbound tcp/25",
then i'd have to agree.  but i don't define "works" that way since it will
just shift costs toward the following months, after the attackers retune
for their reduced capability (perhaps by inventing some new capabilities).

--------

i have a suggestion.  if you're going to propose some method of curbing
network abuse, which operates at something other than the IP layer, then
please find a different forum.  also, read vjs's "you might be" article.
and when you're educated as to what's been tried and what's been done, and
you find a forum where your proposal will be found interesting, then please
cast your proposal in the following terms: "we implemented source address
validation toward our customers as described in BCP38, and it wasn't good
enough, so we did $X as well, and it had benefit $Y and cost $Z".  (cc me!)