[Asrg] NATs and spam

Douglas Otis dotis at mail-abuse.org
Sun Mar 4 20:20:58 EST 2007 

On Mar 4, 2007, at 12:17 PM, Matt Sergeant wrote:

> On 4-Mar-07, at 2:18 PM, <gep2 at terabites.com> <gep2 at terabites.com>  
> wrote:
>
>>> Simple question... *WHY WAS THE ROUTER/GATEWAY NOT BLOCKING PORT  
>>> 25 TO/FROM ALL MACHINES EXCEPT AUTHORIZED INTERNAL MTAS* ??? If your
>> client had taken that one simple step, none of this would've  
>> happened.
>>
>> Several issues there.
>>
>> First, they have at least three or four internal machines (out of  
>> only about 15) running mail servers. (These servers were basically  
>> used as a speed buffer/queue for outgoing mail only).
>
> Jeez - how much email does this 15 person company send??? A  
> reasonable mail server can handle a million mails an hour - just  
> how much "speed" do they need?

While blocking port 25 is a good idea, this does not assure  
protection.  Messages can still be mailed from infected systems.   
Most systems are configured to automatically forward and authenticate  
messages originating within the system.  This automation affords bad  
actors greater cover, as stopping such outbound servers results in  
greater collateral damage.  Bad actors don't need to infect systems  
be behind a NAT for that trick to work.

Although blocking port 25 frustrates proponents of the end-to-end  
ideal, imposing external boundaries has become standard fair.   
Although when XP was first announced, Microsoft made a statement XP  
will not requires a firewall.  As it is now, XP can not be installed  
without being behind a firewall or a NAT.  The meantime-before- 
infection does not afford time to install updates.  As services such  
as Teredo and UPNP become common, compliant SOHO routers may usher in  
a era where NAT's Stateful Packet Inspection must understand new,  
albeit often undocumented, extensions.

Perhaps in a few years there will be a forklift changeover to IPv6  
when NATs and firewall automation goes awry, where network and memory  
manufactures rejoice.  When that happens, this will likely thwart IP  
address scrutiny, or reverse lookup schemes.  IPv6 may mean public  
"anonymous" messages can not be accepted without first confirming a  
CA certificate.  It is obvious having a registered domain will not  
represent an impediment to abuse.  The cost of sending an message may  
someday be a CA cert.  While something like DKIM offers a means for  
domains to assert their certificates, some type of accreditation  
analogous to a CA is still be required.

A possible replay issue may also thwart using transmitter independent  
domains as a basis for acceptance, although authorizations schemes  
may provide possible solutions.  These authorizations should be by  
name, where iterative IP address lists should be avoided due to  
related DDoS threats.

-Doug

More information about the Asrg mailing list