ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

2007-03-02 18:05:10
from [Daniel Feenberg] [Permanent Link] 


On Fri, 2 Mar 2007, gep2(_at_)terabites(_dot_)com wrote:
As you know, in a recent thread I commented on what a LOUSY solution IP-address-based blacklists are, in general.
Part of the problem is that it is a VERY blunt instrument, especially for companies which operate a large network from behind a NAT router.
Well, I've recently been personally involved in trying to put out just such a fire at one of my consulting clients.
The client company is an oil and gasoline distributor. Each evening the software system I built and maintain for them sends E-mails and fax-by-e-mail price updates to their customers. It also automatically generates and routes invoices, credit memos (for example, the amounts of the 'pay at the pump' credit card transactions they handled the day before) to their customers. They probably send something approaching a thousand such business-critical E-mails and fax-by-E-mails per day.
All works well until about a week and a half ago, one of their computers managed to get infected by some kind of exploit (despite every machine in the company having and running Symantec Antivirus software which is updated daily). We found the problem within 24 hours and managed to clean it all up, (hopefully!) but meanwhile at least one or two E-mail blacklists (including XBL) flagged the IP address of the company's router, and starting on the 21st some of their E-mails stopped getting delivered due to the blacklisting. By Saturday, as more ISPs picked up on the new list, E-fax (who processes and delivers their fax-by-e-mail transmissions) suddenly started bouncing even their outgoing fax attempts (even though their systems had been clean, as best we can tell) for at least two or three days already.
Businesses which count on reliable AND TIMELY e-mail transmissions simply cannot have their E-mail transmissions blocked "en masse" like this.
Not being able to issue credits, deliver invoices, and send price updates (and in the oil and gas business, prices change daily) is a monumental burden on a company which is guilty of nothing more than being a victim, just like so many other companies and individuals have been (and, doubtless, will continue to be).
Worse, from a Internet strategic standpoint, the dangers of this kind of blunt-instrument blocking of E-mails for AN ENTIRE COMPANY just because ANY ONE computer within their network is infected (and it could even be an infected notebook computer carried in from home and connecting to the office wireless LAN) will force more companies to insist on MORE DANGEROUS separate, routable IP addresses for each machine in their company.... so that blocking will affect JUST ONE of their machines and not put the whole company out of business. Ultimately, this "solution" just puts dramatically more (and very unwanted) pressure on the limited IP address space, and INCREASES the likelihood of getting the company's machines infected since now their machines each have a real, routable IP address that can be attacked by scanners and other exploits originating from outside the company.
It has taken me personally much of the last week to try to mitigate the problems for my consulting client... managing communications with the 

<snip>
Can I ask why it was so difficult? Could you not change the IP address of the MTA easily? Perhaps your customer had only one? Perhaps you weren't aware that was possible? Certainly XBL doesn't list an entire address block on day one, so I assume that the infected machine was using the companies own smtp server as a smarthost and that is why the entire company was inconvinienced. Another possibility for the company is to use the ISP smarthost for its mail. It is quite rare for ISP MTAs to be blacklisted, though it does happen. I understand that getting off blacklists is slow and difficult to speed up, but why is it the only solution?
I also refer you to http://www.nber.org/sys-admin/smarthost.html where I list some commercial smarthosts. While not free, the cost would be similar to an hour or two of typical consulting rates, for a year of smarthosting, by which time the original IP address would be off the blacklists.
Postings such as yours have more weight if they include the relevant IP address. 

Daniel Feenberg
feenberg isat nber dotte org


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, Chris Lewis
Next by Date:  Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, der Mouse
Previous by Thread:  [Asrg] Re: I'm black-hole listed, now what?, gep2
Next by Thread:  Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0, gep2
Indexes:  [Date] [Thread] [Top] [All Lists]