Back in the olden days, a spammer would set up a server with a fast
broadband connection and a dialup connection, and send out lots of
spam over the broadband connection using the dialup's IP address. Since
mail traffic is quite asymmetric, this got them most of the broadband
speed, and when the dialup provider cancelled their service, they could
just dial into someone else. Or maybe work through that giant pile of
AOL CD-ROMs we all had. The broadband provider often wouldn't notice
since it wasn't their IP and they didn't get the complaints.
Is this still a thing? Broadband providers fixed this by some
combination of filtering port 25 traffic both ways, and BCP38 so you
can only send packets with your own address. Do providers do both of
these? More of one than the other? TIA.
Not this exact scenario, but what we see a lot of in my VPS company is people sending spam by using our VPS' source addresses, but routing outbound via some kind of tunnel to a VPN provider or similar in order to bypass our port 25 blocks.
We've had to start blocking source port 25 to catch the replies from the recipient mail servers in order to prevent this kind of abuse.
My home wifi AP blocked me two different ways, but once I got around that, I was able to determine that Spectrum cable Internet does appear to block spoofed source traffic.
I also would hope that uRPF was enabled by default on SOHO routers.
And yet ... I'm routinely disappointed.
CADIA has a Spoofer probe project that tests this very thing. I see periodic announcements to various mailing lists about their monthly results. -- I'll find one if you care to know more.
Not this exact scenario, but what we see a lot of in my VPS company is people sending spam by using our VPS' source addresses, but routing outbound via some kind of tunnel to a VPN provider or similar in order to bypass our port 25 blocks.
I'd be curious what VPN providers they are using so that I could start blocking them. That seems like another player in the criminal support ecosystem.
We've had to start blocking source port 25 to catch the replies from the recipient mail servers in order to prevent this kind of abuse.
If I had to put money on it, it's not VPN providers but other VPS
providers. VPN providers don't have enough business that anyone cares
about to avoid getting killed over BCP38 non-compliance.
It's trivial to turn a $5 VPS into a disposable VPN head-end that can
spray TCP SYN packets at a modest rate, and once the packet is on the
backbone somewhere in the world not only can't you do anything about
it, it's just on the near side of impossible to figure out where it
originally entered.
Unless you want to start handing out BGP AS death penalties to entire
"tier 1's" who don't instrument their reciprocal peering connections
well enough for third parties to trace the source of spoofed packets.
Which is 100% of everyone right now. That sort of instrumentation
would be darn expensive.
Come to think of it, there are probably botnets for rent where the
"owner" has verified non-compliance with BCP38 and will arrange for X
number of fresh machines spread across everywhere to VPN into your
server and pass packets for you. Why not bring in a little extra cash
while waiting for the next DDOS target? Particularly when the packets
emitted are unlikely to be traceable to the bot.
