1 edit | I don't pay for crippled access I pay for Internet Access, not crippled internet access whereby Bellsouth decides what ports I should be able to access on other systems. Personally, I think it's absurd. However, our house is served by IFITL so I don't really have any choice of going to another provider.  |
|
|
|
 RobIn Deo speramus, God Bless the USAPremium
join:2001-08-25
Kendall, FL
kudos:2 | said by dervari2:
I pay for Internet Access, not crippled internet access whereby Bellsouth decides what ports I should be able to access on other systems. Personally, I think it's absurd. However, our house is served by IFITL so I don't really have any choice of going to another provider.
Once the FCC writes up sone new tariffs for IFITL users, you'll never want to switch providers!! 
--
It is a man's own mind, not his enemy or foe, that lures him to evil ways. |
|
 japPremium
join:2003-08-10
038xx
1 edit | reply to dervari2
You are exactly right, dervari.
What respondents here are missing is blocking 25 is a blunt, dumb response that creates more problems than it solves. What are visitors to your network supposed to do? Borrow your user/pass and manually config their clients just to send an email via their own SMTP?
Blocking 25 merely forces worms & mailers to be slightly more sophisticated, it doesn't make them go away. Mail servers can function on any port; 25 is the magic mail port. I've been on 26 for almost 2 years as my SMTP provider offers it specifically to get around networks that block 25 (blocking 25 is not exactly a new practice). If I can't send via my 3rd-party SMTP provider then
> outbound is not scanned for viruses (your ISP do that?)
> outbound is not logged in traffic reports generated for me by my provider (your ISP do that?)
> I would have no fall-back option should my ISP's SMTP go down (yours ever do that?)
> I would be confined to the shiotty size restrictions of my ISP
> recipients cannot ID my traffic by user@SMTP if it doesn't routinely originate through the same SMTP
> I would have to constantly re-config my clients
The correct place to ID & filter illicit traffic at is the packet level: shaping, volume/time restrictions, header sniffing, malware scanning, time-delay holding of suspect traffic, etc, etc.. Yup it takes more brains to implement & maintain but it's also WAY more effective & cheaper in the long run. Packet-level controls also provide identification of who is doing what on the network: info that network owners should be encouraged to know & respond to rather than try to block & forget. |
|
Anon | reply to dervari2
said by dervari2:
I pay for Internet Access, not crippled internet access whereby Bellsouth decides what ports I should be able to access on other systems. Personally, I think it's absurd. However, our house is served by IFITL so I don't really have any choice of going to another provider.
I pay for Internet Access also, and don't wan't to recieve spam from clueless idiots who can't secure their computer. I pay for Internet Access also, and don't wan't my network to get DDoSED by unsecured machines. I pay for Internet Access also, and don't wan't to be scanned 10000 times a day for exploits by drones.
Only way I can see this work if they allow users to unblock ports only after taking a big survey on computer security.
Matter of fact i would PREFER them to block all worm/spam ports and allow users to take security tests to get them unblocked.
--
Linus, please save me from your followers. | COMRADEJOE for MVM (he gave me 10 bucks)! |
|
fantomposterPhantom PosterPremium
join:2002-09-21
Independence, OH | reply to jap
said by jap:
You are exactly right, dervari.
What respondents here are missing is blocking 25 is a blunt, dumb response that creates more problems than it solves. What are visitors to your network supposed to do? Borrow your user/pass and manually config their clients just to send an email via their own SMTP?
No, configure their outgoing to use your ISP's SMTP server, no username or password required. The ISP only looks at the originating IP address. If it is on their network they take it and deliver it. I have people that come here do that all the time.
In fact, they have no choice because THEIR ISP will not accept email from them unless they are on their ISP's network. For the same reason, their IP address while they are here is not on THEIR ISP's network. So their ISP refuses to relay for them. |
|
| reply to dervari2
i used to have a cable company that blocked alot of File shareing ports (From Bittorrent to Crapzza) So i would be Greatful that they are only blocking port 25.
btw, that cable company was Millennium digital media. |
|
japPremium
join:2003-08-10
038xx
3 edits | reply to fantomposter
said by fantomposter:
"No, configure their outgoing to use your ISP's SMTP server, no username or password required."
My bad: I forgot my client's authentication to it's SMTP is not the norm. I'd sure prefer everyone config'd their clients (once!) to authenticate to their chosen SMTP than be unable to talk to their SMTP unless they are on the same network. Seems terribly limiting to me. And why advocate for users having to re-config all the time? SMTP should be a controlled, buy-it-from-anyone service like anything else. This mentality of connectivity having to be married to server-based services is moldy. I get connectivity from any number of unpredictable places.
said by fantomposter:
"they have no choice because THEIR ISP will not accept email from them unless they are on their ISP's network."
You again said it better than me. But is this an intelligent architecture? Sign of a bad ISP practice, IMO. I'm arguing for increased separation of connectivity services & server services. Both the industry and user behavior long ago headed in that direction so why would trying to control traffic by crippling network capabilities be a good idea? I cannot see how that well serves longterm improvements.
The servers generate the traffic. How can port blocking be anywhere near as effective as requiring servers & server owners to deploy the controls? Remember when network admins responded to p2p traffic with port blocking? Users rapidly deployed dynamic-both-ends clients then, later, browser tunneling. It seems to me that blocking 25 just escalates the sophistication of malware & spam, thus advancing the race which will only demand more security efforts from connectivity providers.
Anyway, my SMTP practices are in the minority here, I can see that. If more ISPs block 25 it'll just push illicit traffic over to SMTP services like the one I use, not solve the problem. Makes the ISPs look like they're taking the low-route: retain the bad actors as an IP customer and restrict the freedoms of their clean customers because it's easier than buttoning up their SMTPs. |
|
fantomposterPhantom PosterPremium
join:2002-09-21
Independence, OH | said by jap:
My bad: I forgot my client's authentication to it's SMTP is not the norm.
Your client is probably doing that so that their users that travel can continue to use their own smtp while on the road, no hassles and no configuration changes. I prefer their way, and do it here. That is why visitors must use my IPS's smtp, not mine. The whole thing is a double edged sword.
quote:
You again said it better than me. But is this an intelligent architecture? Sign of a bad ISP practice, IMO. I'm arguing for increased separation of connectivity services & server services. Both the industry and user behavior long ago headed in that direction so why would trying to control traffic by crippling network capabilities be a good idea?
I do not disagree, it is a crummy set up and a crummy fix. I actually think full smtp authentication or pop before smtp is the best way to go. Then everyone can send/receive from were ever they are after only setting up once.
quote:
The servers generate the traffic. How can port blocking be anywhere near as effective as requiring servers & server owners to deploy the controls?
But the world has changed dramatically since smtp was RFC'd. No one back then thought that grandma would have a P4 3.2 direct connected to the net, with a public IP address, tons of bandwidth, unpatched and wide open for anyone to use for a spam machine. That is the person the port blocking is designed to stop.
I don't like the solution of port blocking, I only accept it as the lesser of evils. There are certainly better ways but they wont work unless we all adopt secure smtp or they rewrite smtp. And we figure out how to get grandma to patch her machine and keep virus defs up to date.
quote:
Remember when network admins responded to p2p traffic with port blocking?
I warned the entire company once, removed it from their machines and then terminated the employement of anyone that used it again. Only had to fire one person.  |
|
japPremium
join:2003-08-10
038xx
1 edit | said by fantomposter:Your client is probably doing that so that their users that travel can continue to use their own smtp
There is no "they": it's a $15/yr service I bought so I could easily network jump and gain their superior services (aforementioned SMTP, + forwarding & spam ranking of inbound).
said by fantomposter:I don't like the solution of port blocking, I only accept it as the lesser of evils. There are certainly better ways but they wont work unless we all adopt secure smtp or they rewrite smtp.
How is it that sasl would need to be universally adopted to be a security benefit? I'm a bit out of my SMTP depth here, but would it not empower the SMTP server & op to detect bad traffic & perform account-specific logging, quarantine, enforcement? I'd much rather be on a network that selectively suspended services to the IP/MAC of an infected machine but continued to serve them an IP to both comm with the owner of the infected system and facilitate that user's efforts at cleanup.
said by jap: Remember when network admins responded to p2p traffic with port blocking?
to which fantomposter  replied: I warned the entire company once, removed it from their machines and then terminated the employement of anyone that used it again. Only had to fire one person.
Yours was exactly the right approach and you are lucky to have the support of your managers. (Are you, perchance, the proprietor of this business as well as the IS person?) I've been embroiled in more than one forum dialog where many technically smart people advocated (and still do) a techno arms race between net users and net admin as the way to deal with net abuse. It's so much prideful folly. The net's a social commons and abuse won't ever be effectively dealt with by imposing restrictive access: the users just take that as a challenge to write better apps, then vendors write better admin tools, and on and on. There has to be an extra-net response by humans. It's why I see even less value than you do in the practice of port blocking: it frustrates legit use & does little to fix the abuse problem. Better to provide access, log behavior then go after abusers through social/legal channels after the fact. Far more effective. (which is why CanSpam is so disappointing: it legitimizes spamming biz by restricting victim's legal recourse).
OK, I'm off this soapbox. Gotta go deploy my overpriced SMTP relay box & start spamming adverts to BellSouth customers: any port from any IP! |
|
fantomposterPhantom PosterPremium
join:2002-09-21
Independence, OH | said by jap:
How is it that sasl would need to be universally adopted to be a security benefit?
It is part of the solution. If done that way (universally) port 25 blocking becomes a non issue for most users as they would always be sending via their homed machine. Not all, but most. That is the most common complaint I hear from home users when their ISP blocks 25. It is not that they want to run their own server, it is that they want to use an email service outside of the ISP's network.
Take away the pain and you can universally block 25 and open it up for those that request it, assuming servers are allowed in the ToS. Most of the time on cable they are not. Seems DSL does allow them, most of the time.
quote:
I'd much rather be on a network that selectively suspended services to the IP/MAC of an infected machine but continued to serve them an IP to both comm with the owner of the infected system and facilitate that user's efforts at cleanup.
Me too. But since I dont need that kind of hand holding I really object to what that would do to support costs for the ISP, and thus my bill. Don't think you need it either.
quote:
(Are you, perchance, the proprietor of this business as well as the IS person?) I've been embroiled in more than one forum dialog where many technically smart people advocated (and still do) a techno arms race between net users and net admin as the way to deal with net abuse.
No, just the IT Manager. But one that brought them out of the depths of IT hell. I replaced a guy that blew out their/our SQL accounting database, the whole history of billing....everything. And only had a two week old backup. He had done worse. So since things run great now, they run my way. We are also an advertising firm. So creatives stealing from other creatives is just plain insanity. Management was more upset than I was.
quote:
It's why I see even less value than you do in the practice of port blocking: it frustrates legit use & does little to fix the abuse problem.
That is where we will have to agree to disagree as they say. I think blocking port 25 outbound kills the spam dead on. It never leaves the network. Then open it back up for those that have a need for it. Yep, that is backwards to how we should live our life but I dont see an alternative. |
|
 nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | reply to jap
said by jap:
The correct place to ID & filter illicit traffic at is the packet level: shaping, volume/time restrictions, header sniffing, malware scanning, time-delay holding of suspect traffic, etc, etc.. Yup it takes more brains to implement & maintain but it's also WAY more effective & cheaper in the long run.
CHEAPER??? By which measure???
Computationally, which is cheaper: doing a simple discard based on blacklisted source addresses or accepting ALL emails and running them through content analyzers?
I run mail servers professionally as well as at home. I can tell you which is computationally cheaper: source blocking. As a "ferinstance", I recently converted a group of fairly taxed SMTP content-filtering gateways. On average, they were running at 80% utilization. I then reconfigured them to use the DynaBlock RBL. Each one now processes about a third more deliveries per day but only runs at about 20% utilization.
Outbound portblocking is similarly cheaper. If a given ISP can prevent GB's of essentially garbage data from leaving their networks, they can get by with significantly smaller perimiter network connections. They can also better keep their peering contract costs lower. This means, in the end, they can hold off on having to raise infrastructure buildout costs (network bandwidth, etc.) to you. If every ISP similarly constrained what left their networks, then RECEIVING systems wouldn't have to assume the computational expense of content analysis.
Simply put, unless you are running an SMTP server (and most ISPs ToS forbids that, any way), you have no real reason to do outbound port 25 traffic past your connectivity provider's network borders.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | reply to dervari2
said by dervari2:
I pay for Internet Access, not crippled internet access whereby Bellsouth decides what ports I should be able to access on other systems.
Sounds like you probably need to check your contract to find out exactly what you are entitled to and what you are not. You probably also need to check what things they reserve the right to change.
said by dervari2:
Personally, I think it's absurd. However, our house is served by IFITL so I don't really have any choice of going to another provider.
There's always choices, just not all of them are as economically attractive/viable.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
japPremium
join:2003-08-10
038xx
1 edit | reply to nixen
said by nixen:
CHEAPER??? By which measure???
Computationally, which is cheaper: doing a simple discard based on blacklisted source addresses or accepting ALL emails and running them through content analyzers?
OOOps, sorry: working on reply & hit the wrong button. Coming. |
|
japPremium
join:2003-08-10
038xx | said by nixen: unless you are running an SMTP server (and most ISPs ToS forbids that, any way), you have no real reason to do outbound port 25 traffic past your connectivity provider's network borders.
Visitors and giving users access to the SMTP provider of their choice, as previously discussed. On private nets it depends on how many & what kind of visitors you have but ISPs should neither force their users to use only the ISP's SMTP (often crappy) nor make it difficult for my visiting users to use the SMTP already configured into their installed clients.
said by nixen: CHEAPER??? By which measure???
Computationally, which is cheaper: doing a simple discard based on blacklisted source addresses or accepting ALL emails and running them through content analyzers?
For near-term cash outlays the former, of course, which is why I said "in the long term". My dialogs here with fantomposter have me mostly convinced that blocking of 25out may be a necessary short-term evil while ISPs implement better responses to malware & spam traffic - though there's little indication that most are poised to pursue better responses.
In an ISP environment the problem of overwhelming malware traffic will not go away until net admins deploy means for automatic (read: cheap & fast) identification of + communication with users of + partial suspension of services to bad acting machines. The reason 25out blockage rubs me wrong is it's a way to put out fires at the expense of network capability. Yes, as you say, it keeps bad traffic from crossing the expensive perimeter but it does nothing to stem the flow internally - except motivate the hijackers of the already compromised machines to install a workaround for the 25block. ISPs have got to go after and try to reduce the number of compromised machines rather than turning a blind port to them.
It should be the goal of all but the most private of networks to work towards allowing users seamless movement on & off the network without disrupting functionality. There are both hidden and unforeseeable costs to neutering functionality. Eventually users will demand something that forces providers to undo their neuter and re-enter the learning curve of how to cope with the exposure. In the case of SMTP services I think that means ISPs who ignore the source of bad traffic and merely block 25out will irritate some users, loose others, gain only a window of relief from abuse, then have to play catch-up to competitors that deployed authentication + traffic analysis to clean-up their traffic. Pissed off users generate all kinds of difficult to measure & unknowable costs and diminishing the quality of life (as they should). That's why I argue for avoiding blocks as a solution; a quick fix maybe but not a solution. |
|
