Webone blocking port 25??

Matthew Hawkins matt at mh.dropbear.id.au
Fri Jul 26 12:26:36 EST 2002 

Jeremy (jepri at webone.com.au) wrote:
> >And that prevents you from being blacklisted how, exactly?
> 
> It gives you logfiles that you can analyse to decide whether or not 
> they are scumbag spammers.

Logfiles aren't going to stop you being blacklisted.  Nothing can stop
you being blacklisted.  If somebody doesn't want to receive data from
you, they can use BGP to drop all your packets on the floor at all their
border routers for all it matters.

And you're being retro-active.  Log files are mainly analysed (if at all
- I know a few sysadmins who never read log files and delete anything
older than a couple of days) after the event.  The ISP can still be
blacklisted, hurting ALL their customers - not just the spammer.  The
burden of proof is on the ISP, and they're going to need something more
than just their own untrusted logfiles.

If the spammer has to deliver directly:

   * they have to stay online *much* longer
   * their ISP hence has a greater time to catch them in the act
   * their victims have more chance to tarpit them etc.
   * the ISP is logging activities anyway, regardless of whether its
     relayed through their mail server or not
   * they need to do the full SMTP thing - ie connect to all separate MX's
     for their recipients - this is going to raise lots of flags in any
     decent network admin's monitoring suite as its not the expected use
     of the network by normal clients.

> That way, if someone does pee in the pool, you know who to blame it 
> on.  Otherwise you end up on the DUL, which is apparently much harder 
> to get off.

So lets pick a few names out of a hat for examples sake, and say Evil
Spammer Jeremy dials into OneWeb Internet, delivers a bunch of spam,
buggers off.  Alex, who runs Tin Can & String Networks - the worlds
largest provider - gets a whole bunch of spam from a 203 class A subnet
coming from OneWeb's mail server going flat strap, finds out the
netblock is owned by Telstra, and then finds all other IP ranges owned
by Telstra and blacklists them.

This situation has occurred on certain blacklist services (ORBS in
particular, may it rest in agony) in the past.  Many times.

-- 
Matt
"So, logically, if she weighs the same as a duck, she's made of wood, and therefore a witch!"
(Monty Python and the Holy Grail)

More information about the linux mailing list