karl and paul, expostulating

> > Filtering by connection to the SMTP port, based on source address, very
> > definitely DOES work.
> Filtering packets based on source address makes Ciscos go way slow on
> every packet. Filtering based on destination address makes Ciscos go
> very fast on most packets and a little slower on SYN-ACKs.

Filtering at the SMTP SERVER LEVEL has no impact on CISCOs at all!

Its also trivial. The current 8.8.x Sendmail code has provisions for it
already in the code. The hooks take about 20 seconds to install, and one
line to edit in a file to update. The impact on SMTP connection isn't even
measurable for those who don't trip it, and for those who do, you can even
return a rude message -- or a 421 error, which keeps the spam at the source
(loading the spammers mailserver -- a GOOD thing!)


The biggest problem with this is when you have 40 machines doing
ESMTP service within a domain, spread around, coordinating changes
to the config files on all the servers is a pain the proverbial

Having the routers pick up the list of no-no sites automatically
means that much more engineering time available for working on
more important issues, like maintaining good network connectivity.

> I operate a cooperative resource. I will not have it used against me.
> This is not negotiable. I pay for my part of the Internet and anyone
> who wants their traffic to traverse it has to make sure that I derive
> similar value, in the aggregate, to theirs when they send me traffic.

No argument -- as long as a public root server isn't there. If it wasn't
I'd be SUPPORTING your black-hole list. But it is, and as such I'm not.

I do see a problem with having a root nameserver on a line that's
paid for by Paul; if he becomes less financially solvent, and can
no longer afford to pay for his line, that nameserver becomes
unreachable. The easy answer is to have the InterNIC fund
Paul Vixie's net connection, to make sure that nameserver
will always be reachable, and pitch in for a 4700 with a
6-pack ethernet module, and a 4-pack serial module; that
way he can separate out private services on separate segments
from the public services.

> Yes, but now that I've got the eBGP feed working I'm starting to do real time
> spam reporting/detection that will cause third party unintended relays to be
> disabled while a spammer is still trying to use them. Not everyone wants to
> spend that 30 seconds, and if we don't make spamming even less profitable
> than it is now, you'll be spending that 30 seconds 15 times per hour, 24x7.

Nonsense. Why not distribute the "block the SMTP port" list instead?


Sorry about shouting, but I'd much prefer a single config change
over carrying out repeated tasks on multiple machines that for
various reasons can't share filesystems across the net.

Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service
           > 99 Analog numbers, 77 ISDN, Web servers $75/mo
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal

Matt Petach