Virus said:
Anyone that is operating a server (HTTP, NNTP, SMTP, etc) for business
[...]
We're not discussing someone who might be running a server here, we're
talking about the innocent "average user" whose machine is compromised and
made to act as a *clandestine* server. Sanctioning these people, be they
individuals or businesses, is akin to jailing the victim of a burglar
because their locks weren't strong enough.
Judicious host blocking of repetitive or negligent offenders may be
acceptable, but your proposition seems to suggest otherwise. You even go
beyond a cause/effect scenario to include blocking of those who have
committed no more serious a crime than registering a new domain. I can't
help but attach the label "absurd" to this idea. No personal attack
intended mind you, and if I misperceive your position please clarify.
or recreation, and who's domain has not been identified as one that
historically hosts or support spam/UCE/phishing/fraud/identity theft,
will never get their domain included in a blocking list (such as a
hosts file, or Adaware, or Spybot, etc) if their servers get
On the contrary, I distinctly remember earlier this year (Feb/Mar?) when
Spybot's host blocking caused it's users to be unable to access the
"Survivor Series" web site due to a mishandling of some well known tracking
cookies. The details escape me at the moment, and I'm too lazy to
but it was a shining example of overly aggressive host said:
The idea of applying the same blocking on a DNS server applies
similarly.
Exactly. And it amplifies any negative side effect of that blocking
considerably.
It would not be effective or logical [you call it
"victimizing them"] to apply such blocking to someone's domain if
their machines were victimized by mal-ware. [But read this: Blocking
their domain WHILE THEY ARE INFECTED is actually a good thing.
It's not a good thing at all. Blocking an entire domain because one or even
a handful of users' machines might be compromised is quite litterally
punishing an entire *neighborhood* because one or two residents have been
victimized by a burglar.
It
would prevent the distribution of secondary payloads if their machines
were unwittingly hosting them, and more than likely their site would
crash because of the unwanted traffic being directed to them].
OK, you lost me here. What is it about blocking a domain that might cause
some server to "crash"?
There have been (few? many?) server farms that have been comprimized
over the past year or two. They are usually cleaned up within 24
hours. None of those domains (I'm sure) have ever made it into
Spybot's or AdAware's blocking or immunization data base.
CBS might disagree with you.
Ummm... Survivor was a CBS thingy, right?
I would
expect the same to happen in a DNS-based domain blocking strategy. I
don't know why you can't understand that.
I disagree with it because I have some experience running DNS servers, and
know from that experience why your proposal is unworkable in the real
world. It's simply not possible to remove entire sections of the net from
the vision of large groups of users without creating problems. Typically,
far more problems than you solve.
If I run a small business, I might want to point my machines to a DNS
server (operated by myself, or a third party, maybe for free, maybe on
a subscription basis) that blocks all new domains until they are 2
months old (in addition to blocking known-bad domains).
As an option I might agree, but I fail to see any significant benefit from
blocking the hundreds or thousands of new domains that spring up every day
to prevent bad traffic from the 10 or so that are abusers. And yes, I just
pulled those numbers out of my ass.
But I think it's safe to say that
the ratio between "good" registrations and "bad" ones is tipped
considerably in favor of the good. The ROI just doesn't seem to be there.
YMMV. I suppose at this point it's a matter of preference, as long as it's
*left* as a preference.
If I'm a big ISP, I might get lots of support calls if I block
newly-registered domains for 2 months. But not necessarily 2 days or
2 weeks. Or maybe I won't block domains based on
date-of-registration, but still block known-bad domains.
You've just run the gambit from "insane" to "of course" in three
sentences.
Blocking new registrations simply because they're new is
silly at face value. Mind numbingly absurd if done for months at a time.
OTOH, blocking domains with no redeeming values (they do exist) should be
SOP in my opinion.
You do
realize that any customer of the ISP can still point their computer to
any DNS on the internet they want to (that will allow connections from
them that is).
Of course I do. Most laypersons do not, however, which is why implementing a
blocking DNS server as the default is a bad thing.
Item (1) above is presupposition. Item (2) is not.
Yes, and it's (1) that's the glaring problem.
You've got to be kidding. Domain registrars have no public profile or
exposure.
You're suggesting "Godaddy" has the same market share and clientele as
other, more "professional" registrars?
Look at someone like Go Daddy. They take money from all sorts of
bad-guys that register domains for the sole purpose of being used for
phishing scams or spam campaigns. I would love to be able to block
They have no way of knowing the intent of a customer before the fact, but
I'll agree that they do seem to be victimized more than other registrars.
Possibly because of their price list...??
That's another interesting point. The possibility that a DNS based blocking
scheme might become perjudicial against "low end" providers who commit no
crime beyond offering discount services to people who can't afford the
"real McCoy". A potential for financial class based disparity if you ask
me.
domains based on the registrar, but I can't see any way to execute a
mechanism that does that. If you could, THEN registrars would have an
interest to take business only from "clean" customers.
How do you propose they make that determination? Crystal balls? said:
By blocking out-bound port-25 packets, you prevent users from setting
their out-going SMTP server to point to a machine outside the ISP's
network.
I think you're missing the point here. You can't block "outgoing port 25" as
you suggest because SMTP doesn't reside on port 25 alone. You have to bock
outgoing packets with an arbitrary source port, and a *destination* port of
25. This is an important point because it negates the possibility that you
can reliably distinguish between a client, and a server. Or any other
software that might use destination port 25 for that matter.
Blocking connections destined for port 25 outside your "network" might
theoretically prevent some spam traffic (issues of tunneling and such left
for other discussions), but it would *also* break a considerable amount of
legitimate traffic. Some scenarios might include...
An employee working from home, needing to use the company's business server
to answer corporate emails.
Any user who might purchase a domain and host it remotely, who wants to
utilize the email accounts that come with that service.
I'm sure that given a little time we could come up with a few more.
You can still set the in-coming SMTP server to point to any
(external) machine anywhere on the internet, and you set your
There's no such thing as an "incoming SMTP server". Incoming mail is POP3,
on a completely different port.
out-going server to that of your ISP's server. You can send all the
e-mail you want, and it will appear to recipients as if it came from
the external server.
You still haven't explained why such a configuration wouldn't work in
your case. (you may not like to use your ISP's SMTP server to relay
My ISP does not provide the level of control and features the outside server
provides, and accessing that server by a "proxy" through my ISP completely
negates some of those features.
your out-going e-mail, but you haven't explained technically why it
wouldn't work in your case).
And by the way, your ISP could easily block your ability to operate an
SMTP server if it violates the terms of your contract (and yes, you
Technically I'm not running a server. I'm running server software as a
client, and accessing third party servers directly. By virtue of my chosen
software this is the way it has to be done, however there are softwares for
other platforms that are "true" clients, and accomplish the same thing.
That's the essential problem with your proposal, there's no way to tell the
difference.
The internet at large has paid a heavy price (in terms of spam, in
terms of trojanized machines that send/relay spam) by not blocking
out-bound port-25 packets from dynamic or residential IP space. The
The fact that a price has been exacted can't be denied, but shooting your
dog in the leg because it has fleas just doesn't seem like a viable option
to me. There's *nothing* about the internet that can't exploited in some
way. It's the nature of the beast. Crippling it in vain attempts to deny
the obvious is ultimately unproductive.
Not a snowball's chance my friend. Viruses and other malware *already* use
tunneling techniques to circumvent firewalls. Bypassing a block on outbound
connections targeted at port 25 would be as trivial as changing a couple
lines of code to place that traffic on port 80 for instance. Ports aren't
"locked" into any specific usage, the blocks would be easily detected, and
compromised machines outside the perimeter of the block could easily be
used as open relays. The whole thing is honestly quite trivial to set up.
Yes it is. There are ways for you to operate your own server - ways
that probably involve paying an extra $10 a month for a business or
commercial connection. You and your 10 buddies are getting a free
ride at the expense of having a (residential) network infrastructure
that allows spam from infected machines.
Total rubbish. Me and my "buddies" are doing nothing more than using our
connections to enjoy the added features of a third party email provider, no
different than any other person who might sign up for an account at HotPop,
VFEmail, MailShack, any domain hosting service on the planet, or any one of
the other tens of thousands of providers/scenarios which might include some
sort of third party transport of outgoing mail.
I'm sorry, but you're just *way* over the top here. Honestly.
--
Hand crafted on October 13, 2005 at 13:28:32 -0400
Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx
