[Top] [All Lists]

Re: [Asrg] 6. Proposals: MTA MARK vs port 25 filtering?

2003-12-10 15:50:35
On Wed, Dec 10, 2003 at 05:17:12PM -0500, David Maxwell wrote:
deny *
permit MTA1
permit MTA2

That isn't a very complicated ACL. I believe Cisco IOS will fastpath
that in most cases (turning on some specific options will make it slow
path, of course).

One of our blocks is a /16 polulated mainly with commercial customers.
A lot of them is managing their own MTAs. I'd estimate about 600-700
(intended ;-) MTAs at least in that block.

MTAs don't change very often. Adding MTA3 to the list above shouldn't be
overly challenging (but I understand that you don't want a $5/h tech
making that change).

With that number of MTAs you will have one or two every day. And you
have to update all your border routers and it should happen promptly.

Compared to the cost of people time to handle spam complaints, it's
probably easy to justify.

If I have to handle spam complaints for a customer because of a hacked
machine I can make the customer pay for it. We have about 2-3 complaints
a week, most of them about faked Received: lines about 1 or 2 per month
are about a customer. Even charging them 150 USD per hour is much more
cheaper for a single customer than the hassle of buying hardware,
setting it up, having it maintained. You know, it's like with fare
dodgers: they have to pay penalty if they get caught. But it only
happens once in a while so it is cheaper not to buy a ticket.

I was suggesting that the ISP be the org blocking 25. (I dislike network
blocks in general, because they diminish the usefulness Internet, but
spam does so even more.) Accessing the router at the ISP will not be as
easy either.

As I wrote to Alan already, we can't do that without changing each and
every contract and I doubt much customers would sign the new one.

5) With MTA MARK I as a receiver know what the intention of the
   maintainer of the IP space is. With a port 25 block not being there I
   don't know if it is on purpose or if it is a mistake.

Your comparison is not valid. You can't detect mistakes in the MTAMark
database entries any more than you can detect errors in the ACL.

This sounds plausible ;-)
But with MTA MARK the sender could express a policy that I could query.
With an outgoing port 25 block in a firewall whose rules are not
publically available he/I can't.


SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

Asrg mailing list