why IPv6 isn't ready for prime time, SMTP edition
Rich Kulawiec
rsk at gsp.org
Wed Mar 26 12:36:10 UTC 2014
On Tue, Mar 25, 2014 at 11:35:57PM -0000, John Levine wrote:
> It has nothing to do with looking down on "subscribers" and everything
> to do with practicality. When 99,9% of mail sent directly from
> consumer IP ranges is botnet spam, and I think that's a reasonable
> estimate, [...]
Data point: it's an extremely reasonable estimate. If anything, though,
it's an underestimate: the actual rate has several more 9's in it.
And if the sending host (a) has generic rDNS and/or (b) fingerprints
as Windows, then it approaches 100% so closely as to not be worth
arguing about.
There is no point in performing any checks other than these on
SMTP connections from such hosts. There is no reason to permit the
conversation to continue to the DATA stage and to scrutinize the message
contents. These actions are both wasteful and superfluous. The only
correct action to take at this point is to issue an SMTP reject and
end the conversation.
It's a pity that this is true. But a decade-plus after the botnet
problem became well-known, I can't name an ISP which has developed and
deployed an effective mitigation strategy against them. So far it's been
band-aids (blocking port 25) and PR (press conferences and initiatives
and task forces etc.). ("botnet takedowns" are meaningless fluff and
merely fodder for self-congratulatory press conferences. All those
systems in the botnet are still compromised. All those systems are
still vulnerable to the same attack vectors that resulted in their
initial compromise. And quite likely before the ink is dry on the
accompanying press release, other botnet operations will harvest them
for use in their own operations. Meet the new boss, same as the old boss.)
---rsk
More information about the NANOG
mailing list