Time to check the rate limits on your mail servers

Thu Feb 3 19:24:42 UTC 2005

----- Original Message ----- 
From: "Jason Frisvold" <xenophage0 at gmail.com>

>
> On Thu, 03 Feb 2005 17:54:28 +0200, Gadi Evron <ge at linuxbox.org> wrote:
>> Still, please tell me, how is not blocking un-used or un-necessary ports
>> a bad thing? It is a defensive measure much like you'd add barricades
>> before an attack.
>
> Agreed.  And depending on your service, there are different ports
> worth blocking.  For residential users, I can't see a reason to not
> block something like Netbios.  And blocking port 25 effectively
> prevents zombies from spamming.  Unfortunately, it also blocks
> legitimate users from being able to use SMTP AUTH on a remote server..
>

I still can't really agree.
How do you know a port is un-used or un-necessary? Because IANA has assigned port 25 as SMTP?  Because only crackers use netbios 
outside their lan? You can't really inspect your network for a month to determine what ports are being used legit either since this 
changes over time and the list of ports would be noisy due to virus' etc.  And why should you block that particular port when there 
are no difference between port numbers technically speaking? The only valid reason would be because the other party is also using 
that port and blocking that particular port will prevent that particular traffic unless somebody changed the portnumber - which will 
happen if you start blocking specific ports because it might just annoy certain people too much.  This is why all the socket enabled 
software we develop always use port 80 or 443 to be able to get through firewalls. We simply don't want to spend the extra time 
helping and telling the customer to enable this and that port on their firewall. So in 20 years when every single program is using 
the same port because you are blocking all the other ports - how can you tell the difference? Packet inspection! But no not always, 
not when you are using SSL etc.  Oh okay, then lets disable that then since you can't identify those packets and because we don't 
care about the collateral damage it gives anyway?

To a solution I would consider okay:
Since port 25 is mostly known as belonging to SMTP I would rather transparently proxy all outbound 25 connections from customers to 
our outbound SMTP server instead of blocking the port directly. If the proxy was unable to detect that this was a legit SMTP 
connection, it will redirect to the original target instead. Now, what will happen is that your companies SMTP server will catch 
every single bot/worm spamming through SMTP. Here is when the rate-limit and outbound spam/virusfilters should kick in. If you were 
sending more than 10 infected e-mails or you are actually spamming (yourself or not), disable the customers internet connectivity 
and redirect port 80 requests to an information page telling the customer "you are infected, click here to download antivirus etc... 
and click here when you think you have removed the virus/stopped spamming to regain full connectivity".  Virus' could automaticly 
detect this so you shouldn't make it too easy to regain internet access.
This would help your customer finding out if their equipment is infected instead of being unaware of it (since you block port 25 
instead). If the customers laptop was infected and he/she frequently moves to other isps (wlan etc) not blocking that port, it could 
be harder to find out for both parties.

>> They now evolved, and are using user-credentials and ISP-servers. This
>> evolution means that their capabilities are severely decreased, at least
>> potentially.
>
> Has this been confirmed?  Does this new worm, in fact, use SMTP AUTH
> where necessary?  Will it also check the port that the user's computer
> is set to send mail on?  So, for instance, if SMTP AUTH is required,
> and the mail submission port is being used rather than standard port
> 25, will the worm detect all this?
>
> The nice part about SMTP AUTH, though, is that there is at least a
> direct link to the user sending the spam.  This means, of course, that
> ISP's will need to police their users a little better..  :)
>
>> It means ISP's will have to re-think their strategies, just like AOL
>> did. It also means it's once small step to victory for us. We are a long
>> way from it, and please - not everybody blocks port 25 so current-day
>> worms are more than efficient still.
>
> So I guess users will have to stop clicking that "Save Password"
> button...  That is, until the worm records the keystrokes when the
> password is entered...  *sigh*
>
>>         Gadi.
>>
>
>
> -- 
> Jason 'XenoPhage' Frisvold
> XenoPhage0 at gmail.com
>

Joergen Hovland
Joergen Hovland ENK 