.. and if it has been tried, have you noticed any issues with this?
Please consider the situation of net abuse with the source address
being an infected PCs on a dialup pool that has port 25 filtering
enabled.
This sequence below is summarized from a post by an ISP admin on
another list that I read.
1) SYN - Worm emails / spam goes out from another provider, with the
source address spoofed to be the IP of a trojaned PC
2) ACK - Receiving network sends an ACK back to the forged source IP,
and the trojan on that IP proxies this back to the actual spam source.
3) SYNACK - sent by the actual spam source to your network.
Applying port 25 filters both ways (inbound and outbound to your
dialup pool, instead of just outbound port 25 filtering) would help in
such a situation.
So, a quick poll .. how many ISPs here have noticed this behavior, and
applied bidirectional filters? And if they've applied port 25 filters
bidirectionally, have they noticed any problems with this setup?
.. and if it has been tried, have you noticed any issues with this?
Please consider the situation of net abuse with the source address
being an infected PCs on a dialup pool that has port 25 filtering
enabled.
...description of 'fantasy mail' removed...
So, a quick poll .. how many ISPs here have noticed this behavior, and
applied bidirectional filters? And if they've applied port 25 filters
bidirectionally, have they noticed any problems with this setup?
I believe reseller contracts have included this for over 2 years now, John
StClair's efforts to get these in place are the primary reason they exist
for our customers.
Please consider the situation of net abuse with the source address
being an infected PCs on a dialup pool that has port 25 filtering
enabled.
[ triangular routing ]
Back when Ernesto Haberli was active, this was his trademark
technique. He'd burn through large numbers of dialup accounts, but
hide the address of his high-speed connection.
At the time he left the business a few years ago it worked pretty well
and I gather he left because he'd run out of high speed ISPs to sign
up with. I'd be interested to know if triangular routing is used by
particular people now, or is it just another trick thrown into the mix
along with zombie proxies and such.
Imagine all those "high speed ISPs" who would never have been burned if they just followed BCPs and source filtered their customer base. Especially since broadband ISPs should be able to source filter easier than anyone, having fewer "issues" like multi-homed customers. (Ignoring the discuss of whether that is really an issue or not.)
But hey, who wants to actually make the network work better these days anyway?
Either the spammers have modified their code so that they don't waste their time trying to spew from blocked machines, or we've been very lucky of late.
I hope it's the former, but suspect it's the latter.
I wrote some part of that doc (though the part about filtering you
quoted seems to have been written by a colleague) - you'll find docs
all over the 'net, that have a lot more detail.
Finding out how many ISPs are doing this is a rather different thing
from finding out how many docs out there are recommending it.
Especially as I'm seeing a marked uptick in this sort of behavior,
from ISPs that I thought normally do filter port 25.
As John points out earlier there were cases of specific people doing
this, though now I think we're seeing trojans do it - a rather more
dangerous development.
It's good to clarify that this "bidirectional" filtering does not mean
filtering inbound to port 25 on the dialup box, but rather filtering inbound
*FROM* port 25 to the dialup box on any port (after all, you want to block
the 3WHS SYNACK and the subsequent in-stream ACKs). This is a common, but
critical, mistake.
1) SYN - Worm emails / spam goes out from another provider, with the
source address spoofed to be the IP of a trojaned PC
2) ACK - Receiving network sends an ACK back to the forged source IP,
and the trojan on that IP proxies this back to the actual spam source.
3) SYNACK - sent by the actual spam source to your network.
Only if you are only filtering SYNs. If you block ALL port 25 traffic,
this won't work.
Applying port 25 filters both ways (inbound and outbound to your
dialup pool, instead of just outbound port 25 filtering) would help in
such a situation.
Inbound 25 filtering has nothing to do with the situation listed above.
Or are you using inbound and outbound to review to packet flow on the
interface rather than session flow? Must be confusing Cisco terms with
actual networking again
The timing of the ever lower levels of spew from our dial up pool coincides with the blocking of the MS NetBios ports, and the implementation of full outbound email scanning (both AV and spam). By full scanning, I mean we treat all email as untrusted, regardles of where it originates.
We've evidently made it harder to turn the boxen into zombies, and time and entropy have started to clean up the ones that where there.
