Re: Public pressure works against prominent companies in

Re: Public pressure works against prominent companies in http://www.dslreports.com/forum/r12799689 en Sat, 28 Nov 2009 09:10:01 EDT Sat, 28 Nov 2009 09:10:01 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12810522 robscullion : That rhyolite link is great! I agree...it should definitely be required reading.

I'd say lurking in NANAE (»groups-beta.google.com/group/new···se.email) for a month should be considered required as well, but that'd fall into the category of "cruel and unusual punishment".]]> http://www.dslreports.com/forum/remark,12810522 Wed, 02 Mar 2005 12:17:41 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12810401 robscullion : Just for the sake of argument, I think you'd have to also block any direct outbound DNS queries from the zombies (client PCs) to outside DNS servers in order to make this at all feasible. Otherwise, the zombies could just skip the local DNS server and do an end-run around the whole system by querying the remote DNS servers directly.

But isn't the point here that the referenced spam software is sending via the zombie ISP's SMTP server? In that case, there's no MX DNS query involved. I don't even see how you can really differentiate the zombie software from the legitimate user. The zombie just sends to the ISPs SMTP server and that server takes care of all the forwarding for it.

Maybe if all ISPs forced authentication for sending even from within their own network it would put a dent in Send Safe type systems. Does this Send Safe stuff steal auth info from the user's local legit email software? If so, I guess that'd be a dead end as well. Otherwise, going to a system that requires authentication over a secure channel for sending email might at least curb the effectiveness of this particular method.]]> http://www.dslreports.com/forum/remark,12810401 Wed, 02 Mar 2005 12:02:17 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12810001 pcscdma :

said by Mr Pilkington:

... and hoping others will do the same in return.

That's the hard part.

:p]]> http://www.dslreports.com/forum/remark,12810001 Wed, 02 Mar 2005 10:57:51 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12808076 anon : Ha ha ha - I don't think it's even near the final solution against spam. I do think it's one that hasn't been tried yet.

Matchstick - You *do* allow your mail server to look up outside MXs. You just don't allow any other IP range(s) to do the same. And, your DNS server would allow anyone to request its own records. For example, if you are bob.com, anyone can pull the bob.com MX records. However, if a bob.com user's IP wants joe.com's MX address, the request is denied. If bob.com's email server wants joe.com's MX, it's allowed.

pcscdma - Your description is correct. However, the spambots do that entire process on your machine; they're their own mail server. That's why they shouldn't have access to MX records in the first place.

pog - There would be no true "whitelist" to manage and actually not much "management" at all. Simply block MX records from all except a few subnets or IP ranges.

I don't think anyone is thinking far enough into it before instantly deeming it useless. You're not blocking *your* MX records from ouside sources. You're preventing your users' PCs from obtaining ouside MX's and hoping others will do the same in return.]]> http://www.dslreports.com/forum/remark,12808076 Wed, 02 Mar 2005 01:24:25 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12802856 pog : a) compiling and maintaining the required whitelist is not some trivial task. I'd think it's cumbersome/tedious/problematic enough that that alone would deter anyone from going for it.

b) what about the case where an ISP's caching DNS server is used by more than one class of user (ie residential, business users, their own mail servers, etc). How will you decide which request you will honor and which you won't? Perhaps you're thinking to force each mail server into running their own local DNS?

c) this doesn't seem much different than existing firewalling/blocklisting except that your protection is indirect... it wouldn't take much for an attacker to learn the IP address of the intended victim and then feed it manually to the zombies and then... what? The path is clear?

So... no... your approach would be far more ineffective, restrictive and inconvenient than an outbound/off-net block of port 25 traffic which does a better job of destroying a zombie's SMTP abilities. Of course, we don't need to rehash the pros/cons of port 25 blocking here... that's another topic altogether.

Perhaps, the following should be required reading :)
»www.rhyolite.com/anti-spam/you-might-be.html]]> http://www.dslreports.com/forum/remark,12802856 Tue, 01 Mar 2005 15:51:36 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12801426 pcscdma : I thought that MX records were for telling SMTP servers where to send the mail.

I'll send a mail to someone at dslreports.com using my ISP
My email client is configured to send stuff to mail.mchsi.com
My email client looks up mail.mchsi.com using my ISP's DNS lookup servers 204.127.202.4 or 216.148.227.68
It either finds it in the cache or tells me to go the dns server for that domain or does it itself (confused on how this part works)
My email client connects to 204.127.203.151 and sends the message
mail.mchsi.com (204.127.203.151) sees that I'm sending something to dslreports.com
mail.mchsi.com (204.127.203.151) looks up the DNS server of dslreports.com or finds it in cache using it's DNS server (probably the same as mine)
It looks to see if there is an MX record and if it finds one it uses it and looks up the IP address of them using DNS because the addresses are URLs
It tries the lowest priority number and goes up until it connects to one
If it doesn't find an MX record it just uses the web server (209.123.109.175)
It connects using one of the methods above and sends it on it's way

This is at least how I understand it.
--
"The bad news is that we are told that Michael Powell, one of Washington's better bureaucrats, is calling it quits today after four years at the helm of the Federal Communications Commission." - WSJ 2005/01/21]]> http://www.dslreports.com/forum/remark,12801426 Tue, 01 Mar 2005 13:05:37 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12800731 Matchstick : Errrm I'm no DNS expert but AIUI, if a SMTP server asks a DNS server for an MX record for which it is non-authoritative, the only way for the DNS server to find the MX record is to request it from a DNS server which *is* authoritative for the domain.

So if this is correct, you HAVE to continue to allow DNS requests for MX records from outside a small ACL of IPs.

And then how can the authoritative DNS server easily tell the difference between a legitimate request from a non-authoritative DNS server and a request direct from a zombied PC ?]]> http://www.dslreports.com/forum/remark,12800731 Tue, 01 Mar 2005 11:43:34 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12800558 anon : Again, allow me to point out that the "zombie networks" would be completely ineffective if a DNS server refused all local MX record requests except from its own mail servers. Regular users have no need for MX lookups except for serving spam.

MX requests from "the world" would be answered only for domains for which the server is authoritative. The only machines that could request any MX record would be those IPs listed in a conf file -- like your mail and web servers for example.

Think about it - it's much less restricting and inconvienent than a blanket filter on port 25.]]> http://www.dslreports.com/forum/remark,12800558 Tue, 01 Mar 2005 11:22:15 EDT Re: Public pressure works against prominent compan http://www.dslreports.com/forum/remark,12799724 ronpin : :>

Meet my new Board of Directors, capishe?

Spam? -- I dun see no spam here eh Tony?

]]> http://www.dslreports.com/forum/remark,12799724 Tue, 01 Mar 2005 09:21:15 EDT Re: Public pressure works against prominent companies http://www.dslreports.com/forum/remark,12799697 Karl Bode : Only when it's blatantly obvious to even the dimmest that what they're doing is wrong.]]> http://www.dslreports.com/forum/remark,12799697 Tue, 01 Mar 2005 09:16:55 EDT Re: Public pressure works against prominent companies http://www.dslreports.com/forum/remark,12799689 RR Conductor : Sometimes.]]> http://www.dslreports.com/forum/remark,12799689 Tue, 01 Mar 2005 09:15:57 EDT Public pressure works against prominent companies http://www.dslreports.com/forum/remark,12799684 TKJunkMail : Public pressure often works against prominent companies. Secondary income sources that are kind of sleazy can often be squashed because a company like MCI fears losing their more lucrative primary business.

My Web Page
My Blog
Join Red Room Forum]]> http://www.dslreports.com/forum/remark,12799684 Tue, 01 Mar 2005 09:15:11 EDT