Re: [exim] automatically blacklisting clients that fail SMTP…

Góra strony
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
Dla: exim-users
Temat: Re: [exim] automatically blacklisting clients that fail SMTPauthentication
Mikhail Lischuk wrote:
>
>
> On Thu, 09 Jun 2011 16:38:10 +0000, W B Hacker wrote:
>
>> Smart
> folks, and they'll probably not be among the 18 Ukrainian .tld I hard
> block who DON'T try to curb the worst of their WinBots.
>
> Sorry for
> off-topic posting,


Not really off-topic. SB.

but let me clarify a little about Ukrainian ISPs:
> most of them have a marketing approach of "providing clean unfiltered
> Internet" to their clients, that's why they don't block 25 port. The
> largest cable and ethernet ISPs that come to my mind do not filter 25
> port.


A 'non interventionist' approach is commendable. Up to a point.

But the typical ToS forbids abuse, and there have to be 'teeth'
somewhere to enforce it, as your OWN upstream/backbone provider ALSO
wants no abuse.

>
> Second - if you block 25 port, it's a good approach to provide
> some kind of smarthost for your clients.


Agreed.

> Which will be in turn used by
> bots in all ways they want and smarthost will be blacklisted very often
> - maybe sometimes entire subnet.


Not so. Even IF the WinBots acquire valid credentials and login (over 25
or 587), that smarthost is better placed to ID WHICH set of credentials
and WHICH DHCP lease is being abused, and can cut them off at the knees
- temporarily or otherwise - if need be.

By contrast, the far-end never sees, and can do nothing about, the
stolen creds, and has no idea to whom a non-routable IP (sometimes
double-NAT'ed AND relayed through more than one MTA) was leased at a
given point in time.

The ISP can not only *know* all of that - they can automate the tracking
of it, and even the response. Which is very much On Topic.

No other entity is as well placed to 'police' that IP and user pool.

Nor do I know of anyone who wants to see some OTHER entity have to enter
that area. But it can happen if ISP's are careless. Some have simply
been forced to go dark.

> Besides if you implement some ways of
> blocking problem clients on your smarthost, you will greatly increase
> load average for your helpdesk.
>


There is a balance there.

- Take a 'not our job' attitude and your Helpdesk may have even MORE
complaints about traffic that cannot be delivered.

- Do what can be done to run a clean shop, and there will be *fewer* of
those complaints.

Moreover, remote sysadmins are more willing to help with reports to your
abuse desk instead of Blacklisting, IF they know an attempt will be made
to correct the reported problem AND that you have a decent historical
track record of so doing.

As to the paying customers?

Even the most arrogant and clueless of WinLuser's usually prefer an
advisory that a Pee Cee of theirs needs disinfecting rather than simply
being cut-off or having mail bounced. Infections do more than just send
spam, and the bigger fees are from business users who should be grateful
for the heads-up so they can protect their ass etts.

> So, blocking 25 port is a good
> approach for ISP, but it will not make them spam- or problem-free.
>
> --
>
> With Best Regards
> Mikhail Lischuk [1]
>
> ITX Ukraine
>
>


Nothing is perfect.

But if an ISP cannot or will not at least *try* to keep clean the part
they, *and no other*, have direct control over, they should not expect
unlimited tolerance from those at a distance who cannot do that with
fine granularity and must resort to a bigger hammer.

> [1] mailto:mlischuk@itx.com.ua


BTW - itx.com.ua is not among those in Україна on my LBL.

So - however it is being done - hopefully all-hands are trying to do the
best they can to keep the house in order, and with some success..

Thank you for that. And keep up the good work!

Regards,

Bill
韓家標