On Wed, Dec 10, 2003 at 02:19:43PM -0500, David Maxwell wrote:
One question I have about MTAMark - how does its effect differ from the
effect of blocking outbound port 25 (other than from authorized MTAs)?
Blocking ports can only be done in Routers or Firewalls.
1) Such rules, especially with a lot of exceptions are very expensive
in terms of CPU cycles. So as e.g. an ISP you don't want to put a port 25
filter in your border routers and then maintain exception lists.
Routers and Firewalls have to be really fast, you don't want to poke
holes in easy and fast rules unless it is absolutely necessary.
2) Lists like that have to be maintained by rather highly skilled personnel.
Customer-Interfaces to DNS management are widely deployed and can
easily be adopted to give customers the ability to maintain their
revDNS structure. For MTA MARK this can be as easy as giving the
customer a list of IP-addresses with checkboxes "is an MTA yes/no".
This is a big difference in skills as compared to adding rules to
the firewall or router.
3) You need the hardware/software capable of doing the blocking, so this
is also a cost factor.
4) If you are running a small business or a workstation the firewall might
be useless, as an attacker that gains admin priviledges can also
disable the firewall. Accessing the DNS configuration at your ISP will
not be as easy.
5) With MTA MARK I as a receiver know what the intention of the
maintainer of the IP space is. With a port 25 block not being there I
don't know if it is on purpose or if it is a mistake.
6) If it can be solved with port 25 filtering this would be great. But
the technique to do it is there for years. Why is spam still a problem?
\Maex
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg