Cloud service [was: RE: EC2 and GAE means end of ip
Joel M Snyder
Joel.Snyder at Opus1.COM
Mon Jun 23 23:32:18 CDT 2008
> Date: Mon, 23 Jun 2008 20:47:17 -0700
> From: Joel Jaeggli <joelja at bogus.com>
> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip
> address reputation industry? (Re: Intrustion attempts from Amazon EC2
> To: frnkblk at iname.com
> Cc: nanog at merit.edu
> Message-ID: <48606E45.8000100 at bogus.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> the argument in this thread however (which I more or less subcribe to)
> is that in the future an ip address is insufficient granularity for mail
> /badness filtering. Frankly it's not just computer clouds but also
> address pressure, a million hosts behind a /24 are going to be rather
> hard to pick out one at a time. ultimately the ability blackhole based
> on something as gross as the source ip address is going to be
> insufficiently fine grained for devices that must accept connections
> from the internet at large.
Ummm, probably not as big of a problem as you might think it is. From the point
of view of an email administrator, those million hosts behind the /24 are all
going to be on the Spamhaus PBL (policy block list) and it doesn't matter
whether there are 10 or 10,000 or 10,000,000 hosts if the ISP has said "these
are residential subscribers and they shouldn't be sending mail." Whether you
believe in PBL or not, generally, it's going to be end users who are clustered
behind those NATs more so than MTAs. Similarly, I don't see a huge incentive
for someone to move their MTA to services like EC2--although anti-spam services
'in the cloud' like Postini are very popular, but that's a different issue.
In our month-by-month anti-spam testing over the past 3 years, the number of
unique email senders (MTAs, not individuals mind you) has actually dropped a
bit; if you use the domain name as exposed in HELO/EHLO, it's dropped even more.
While there will always be small MTAs out there handling small numbers of
people, the trend has been to throttle that mail through larger systems.
Sometimes this is done transparently/semi-transparently by the ISP ("you will
send your mail through our SMTP server") using either a simple port 25 block or
something like transparent destination NAT/WCCP. In other cases, this happens
because small companies are discovering that their oh-so-exciting Exchange
server is more of a pain in the ass than using commercial Gmail or whatever.
SMTP is a special case in this discussion, I'll immediately admit. The number
of hosts offering up web pages (assuming you want to filter for malware of some
sort) is going nothing but up. Reputation services will be more challenged in
that environment than in the SMTP environment.
>> I don't know if spammers are going to be using TLS in a big way soon, though
>> I'll admit I've not measured.
> A couple years ago, when my former employer turned on tls support on the
> outwardly facing mta's about 10% of our incoming smtp connections
> immediately started using it after ehlo. That's not something I've kept
> track of but I imagine it's an issue.
Today's number for delivery using SSL by our mail cluster is 7% of just shy of
80K messages. Goes up, goes down, but definitely non-zero.
>> As long TLS usage is low, examining TCP port
>> 25 traffic would likely be effective without redirecting SMTP traffic and
>> making it effective for all customers downstream.
That actually turns out to be a non-problem from the SMTP point of view. A
"mean" ISP could simply intercept the response to EHLO and drop out the TLS
capability string. A "nice" ISP could simply make up a certificate on the fly.
Since SMTP senders don't have a GUI box to click during the SMTP transaction
when a certificate doesn't check out, most (read as: all configured with default
settings) of them simply send anyway even if the certificate smells like
week-old fish. Put it another way: I ran (accidentally) for two years with an
expired certificate on one of our mail servers and didn't get a single peep
about misbehaving mail.
But most of this discussion has been about reputation services, and of course
those operate beautifully with or without TLS in the SMTP case.
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms at Opus1.COM http://www.opus1.com/jms
More information about the NANOG