quietly....

Owen DeLong owen at delong.com
Sat Feb 5 07:56:03 UTC 2011


On Feb 4, 2011, at 7:25 PM, George Bonser wrote:

>> 
>> Yeah, I threw it in as an afterthought. ISP firewalls do exist and not
>> just small isolated incidents. I wish more money had gone into making
>> them much more adaptive, then you could enjoy your tcp/25 and possibly
>> not have a problem unless your traffic patterns drew concerns and
>> caused
>> an adaptive filter to block it (eh? thousands of emails suddenly to a
>> variety of servers? block). Interestingly, adaptive filters are often
>> used for probing scans (and we didn't apply them to tcp/25, why?)
>> 
>> 
>> Jack
> 
> Maybe because it is just easier to do a transparent redirect to the ISPs
> mail server and look for patterns there.  Some customer drops a
> bazillion email messages from a bazillion From: addresses in 14.7
> seconds ... chances are you have a spam candidate.  If the spam filter
> flags a lot (all?) of the messages as possible spam, queue them to the
> quarantine until someone can have a look and if they are, dismiss the
> customer and send them up the road OR inform them that they are possibly
> bot-net infected and block access to port 25 from them until they get it
> cleaned up.
> 
> 

The problem is some providers get a little too zealous and not only
break port 25 (which is just mildly annoying), but, also break 587
and in rare cases 465 as well.

Since I use SMTP+TLS to connect back to my mail server and
use STMPAUTH to send my mail, hotels and conference centers
that do this prove to be an annoying hurdle to doing something
useful.

The worst one I encountered was a JetStar lunch in Adelaide.

They not only blocked 25, 465, 587, etc. They blocked everything
except 80 and 443.

I resorted to using an SSH client on my iPad over 3G to log into my
server and start an SSH daemon on port 443 on an additional IP
address I assigned. After that, I was able to use SSH tunnels for
everything else.

I don't know what a less technical user would to do use their
lounge to actually use the internet. Just one more item in a long
list of reasons I will _NEVER_ do business with JetStar again
and will avoid Qantas unless I have no choice (since they own
JetStar).



Owen





More information about the NANOG mailing list