ISP port blocking practice

Franck Martin franck at genius.com
Mon Sep 6 01:13:35 UTC 2010


In many countries, the presence of bots consume a non-trivial amount of bandwidth. In developing countries, this is a non trivial amount of $$$ (http://mobile.slashdot.org/story/10/09/05/1620212/UN-Tech-Group-Finds-Most-Expensive-Broadband)

Blocking port 25 allows to help identify which hosts are consuming bandwidth (likely to have a bot). Identifying and removing these hosts from the network is crucial and economically viable, unfortunately these are skills sometimes not available in such countries.

Just saying...

----- Original Message -----
From: "Patrick W. Gilmore" <patrick at ianai.net>
To: "North American Operators' Group" <nanog at nanog.org>
Sent: Monday, 6 September, 2010 12:11:16 PM
Subject: Re: ISP port blocking practice

Composed on a virtual keyboard, please forgive typos. 

On Sep 6, 2010, at 1:36, Claudio Lapidus <clapidus at gmail.com> wrote:

> Hello all,
> 
> On Fri, Sep 3, 2010 at 11:30 PM, Ricky Beam <jfbeam at gmail.com> wrote:
>> 
>> If I block port 25 on my network, no spam will originate from it.
>> (probablly) The spammers will move on to a network that doesn't block their
>> crap.  As long as there are such open networks, spam will be rampant.  If,
>> overnight, every network filtered port 25, spam would all but disappear.
>>  But spam would not completely disappear -- it would just be coming from
>> known mailservers :-)  thus enters outbound scanning and the frustrated user
>> complaints from poorly tuned systems...
>> 
> 
> That won't be probably the case. Here recently we conducted a rather
> comprehensive analysis on dns activity from subscribers, and we've
> found that in IP ranges that already have outgoing 25 blocked we were
> still getting complaints about originating spam. It turned out that
> the bots also know how to send through webmail, so port 25 blocking
> renders ineffective there.

I believe you have confused "not 100% effective" with "ineffective".  And webmail is but one additional vector.  Bots know how to use smarthosts, corporate e-mail, triangulation, etc.  If you gave up on each because one step did not solve the problem, you would have no chance at a solution. 

When you unblocked port 25, did spam complaints go up or down?  There are a great many providers who have evidence that port 25 blocking lowers complaints even if there are bots that know their way around it. 

Second, assume you can wave a magic wand and block all webmail access.  Do you honestly believe the bots will not use port 25 to send spam directly?

Security requires layers.  And it is a bit shocking how many people do not realize this.

-- 
TTFN,
patrick






More information about the NANOG mailing list