Time to check the rate limits on your mail servers

Joel Perez jperez at numind.net
Thu Feb 3 14:59:42 UTC 2005


I keep reading these articles and reports about this botnet and that
botnet problem and how many user's pc's are infected.
The only thing I don't see is a way to remove these bots!
Not everyone knows how to even look at their machines for signs of these
bots. Heck, I know most of my guys here don't even know how these bots
work.

It would be impossible to educate everybody but it's better to try than
sitting around blocking this and that and not really solving the issue
at hand.

My .02 cents. 

-------------------------------------------------
Joel Perez      |  Network Engineer
305.914.3412  |  Ntera
-------------------------------------------------

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Michael.Dillon at radianz.com
Sent: Thursday, February 03, 2005 9:47 AM
To: nanog at merit.edu
Subject: Re: Time to check the rate limits on your mail servers


> > Do you let your customers send an unlimited number of
> > emails per day? Per hour? Per minute? If so, then why?
> 
> Doing that - especially now when this article has hit the popular
> press and there's going to be lots more people doing the same thing -
> is going to be equivalent of hanging out a "block my email" sign.

I don't understand your comment. This is an
arms race. The spammers and botnet builders
are attempting to make their bots use the 
exact same email transmission channels as 
your customers' email clients. They are
getting better at doing this as time goes
on. I think we are at the point where the
technical expertise of the botnet builders
is greater than the technical expertise of
most people working in email operations.

We cannot win this battle by continuing to
attempt to trump their technical abilities.
However, if we shift the battleground to
a location where network operators have the
upper hand, we can do better.

And that's why I suggest that people should
start looking at email volume controls. The
vast majority of individual users only send
a small number of emails over a given time
period whether you measure that time period
in minutes, hours or days.

SPAM is a form of DDoS against the Internet's
email architecture. Rate limiting has proven to
be an effective way of mitigating DDoS because
it strikes at the very core of the DoS methodology.
Why not deploy this strategy against email?

Please note that I am not suggesting that 
this is a way to "solve" the SPAM problem.
First of all, I do not agree that there is 
a SPAM problem. The fundamental problem is that
the Internet email architecture is flawed. SPAM
is merely a symptom of those flaws. If we fix
the architecture, then nobody will care about
SPAM. As you can see, two separate problems
are becoming intertwingled here. In the past
we had viruses, DDoS, botnets, SPAM, phishing.
But now, all of these things are merging and
evolving together.

And secondly, I'm only pointing out that there
are reasons for people to start thinking about
rate limiting email on their networks. I'm
suggesting that people should be asking questions.
I don't think it is wise to run out and slap
rate limits on mail infrastructure without
thinking through the implications.

--Michael Dillon




More information about the NANOG mailing list