Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0
2007-03-02 18:05:10
On Fri, 2 Mar 2007, gep2(_at_)terabites(_dot_)com wrote:
As you know, in a recent thread I commented on what a LOUSY solution
IP-address-based blacklists are, in general.
Part of the problem is that it is a VERY blunt instrument, especially for
companies which operate a large network from behind a NAT router.
Well, I've recently been personally involved in trying to put out just such a
fire at one of my consulting clients.
The client company is an oil and gasoline distributor. Each evening the
software system I built and maintain for them sends E-mails and fax-by-e-mail
price updates to their customers. It also automatically generates and routes
invoices, credit memos (for example, the amounts of the 'pay at the pump'
credit card transactions they handled the day before) to their customers.
They probably send something approaching a thousand such business-critical
E-mails and fax-by-E-mails per day.
All works well until about a week and a half ago, one of their computers
managed to get infected by some kind of exploit (despite every machine in the
company having and running Symantec Antivirus software which is updated
daily). We found the problem within 24 hours and managed to clean it all up,
(hopefully!) but meanwhile at least one or two E-mail blacklists (including
XBL) flagged the IP address of the company's router, and starting on the 21st
some of their E-mails stopped getting delivered due to the blacklisting. By
Saturday, as more ISPs picked up on the new list, E-fax (who processes and
delivers their fax-by-e-mail transmissions) suddenly started bouncing even
their outgoing fax attempts (even though their systems had been clean, as
best we can tell) for at least two or three days already.
Businesses which count on reliable AND TIMELY e-mail transmissions simply
cannot have their E-mail transmissions blocked "en masse" like this.
Not being able to issue credits, deliver invoices, and send price updates
(and in the oil and gas business, prices change daily) is a monumental burden
on a company which is guilty of nothing more than being a victim, just like
so many other companies and individuals have been (and, doubtless, will
continue to be).
Worse, from a Internet strategic standpoint, the dangers of this kind of
blunt-instrument blocking of E-mails for AN ENTIRE COMPANY just because ANY
ONE computer within their network is infected (and it could even be an
infected notebook computer carried in from home and connecting to the office
wireless LAN) will force more companies to insist on MORE DANGEROUS separate,
routable IP addresses for each machine in their company.... so that blocking
will affect JUST ONE of their machines and not put the whole company out of
business. Ultimately, this "solution" just puts dramatically more (and very
unwanted) pressure on the limited IP address space, and INCREASES the
likelihood of getting the company's machines infected since now their
machines each have a real, routable IP address that can be attacked by
scanners and other exploits originating from outside the company.
It has taken me personally much of the last week to try to mitigate the
problems for my consulting client... managing communications with the
<snip>
Can I ask why it was so difficult? Could you not change the IP address of
the MTA easily? Perhaps your customer had only one? Perhaps you weren't
aware that was possible? Certainly XBL doesn't list an entire address
block on day one, so I assume that the infected machine was using the
companies own smtp server as a smarthost and that is why the entire
company was inconvinienced. Another possibility for the company is to use
the ISP smarthost for its mail. It is quite rare for ISP MTAs to be
blacklisted, though it does happen. I understand that getting off
blacklists is slow and difficult to speed up, but why is it the only
solution?
I also refer you to http://www.nber.org/sys-admin/smarthost.html where I
list some commercial smarthosts. While not free, the cost would be similar
to an hour or two of typical consulting rates, for a year of smarthosting,
by which time the original IP address would be off the blacklists.
Postings such as yours have more weight if they include the relevant IP
address.
Daniel Feenberg
feenberg isat nber dotte org
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, gep2
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Steve Atkins
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0,
Daniel Feenberg <=
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, der Mouse
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Seth Breidbart
- Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Al Iverson
|
|
|