12 Apr 2007
We all like to think of ourselves as popular, so it comes of something of a shock to find yourself on a blacklist. But that’s exactly what happened to me last week or, rather, to my public IP address which, if you rely on email, is an equally damaging slight. Moreover, it’s an illustration of the fact that no matter how well protected you think you are, network security is easily breached.
It all started when my outgoing emails started to bounce back. Not all of them, just a few (including those to IT Week), leading me to think that it was a problem with the receiving servers. But then a pattern emerged. The bounce-backs were all from servers using MessageLabs filters, telling me in no uncertain terms that I was a suspected spammer and needed to do something about it.
A quick search on www.dnsstuff.com soon revealed the cause. There was my public IP address on not just one, but five blacklists, clearly highlighted as a potential source of spam. According to the mail logs at my ISP, the messages weren’t being sent by their servers, so a mass-mailing virus on a machine somewhere on my LAN was the most likely culprit. Equipped with the latest updates I diligently checked all my PCs and servers for viruses. I even checked machines running Linux, but all came up clean. Yet I was still being blacklisted.
I then configured a firewall rule to block and log any outgoing messages on port 25 (the SMTP “email” port). Again all was quiet until my better half came home from work and switched on her wireless laptop. Within seconds, I could see it repeatedly trying to distribute spam.
I didn’t know exactly what the laptop was infected with, and I didn’t really care. I just stopped it connecting to my network and told my spouse to take it away and get it sorted by her IT department.
It just shows how easy it can be for one rogue system to bring a whole network to its knees even when you have all the usual security measures in place. Mine include a router with network address translation and a stateful inspection firewall. All my systems have up-to-date antivirus software with on-demand scanning and, if running Windows, anti-spyware software as well. I’m also very careful not to download anything new to a live system before checking it out on an isolated virtual host. None of my systems has ever been infected with anything – until now.
Luckily I caught it quite quickly and was able to remove my address from the blacklists fairly easily. I hate to imagine how much more difficult it would have been for a large company to resolve the problem. It only takes one small slip and the consequences can be huge.
Why don't carriers lock access to port 25 down to their email gateways by default? Many claim they do, but apparently do not.
This is something I haven't understood for years now. In my last jobs, I've had the firewall block and alert me to outbound traffic on port 25. At my current work, we permit one and only one host externally to be used for SMTP, and the rule's not much harder to do there than it was when there was no external SMTP server to talk to.
Several ISPs claim they do this, but as far as I can see, do not.
For the precious few people who actually want to try running their own mailserver, this is no doubt a pain. The ISP would need to let you pay an additional fee for being added to the list of those who use SMTP, and you would have to be prepared to spend money on static IPs rather than DCHP. Funny thing is, I actually have a block of statics, and there was nothing said to me when I signed up about "oh, and do you want port 25 open?"
Doing this right would dramatically cut down spam. The policies are already in place at a number of ISPs, or supposedly are.
I've just seen an article that claims SBC/Yahoo do this. And that claims Charter does this.
Apparently only for their dialup customers, though; I can run 25 from here at SBC no problem, and judging from the spam filters at the office, Charter leaves 25 open for its DSL customers. For every freaking one of its DSL customers.
In fact, with a rule like this in play, the ISPs could provide additional services to their customers, like warning them of suspicious traffic.
There's no reason why you shouldn't have had a friendly alert from your ISP giving you a count of the number of attempts to send email that your IP address had made.
Why make you wait until you'd been listed in multiple obscure (to most people) antispam registries?
So: does anyone know why - other than the complete insulation of carrrier NOCs from the universe of their impact on the network at large, and their pure focus on events inside their network - carriers aren't doing this for their botnets, I mean, for their always-on connections?
-R
http://news.zdnet.com/2100-9595_22-255459.html
(Microsoft tagged for being late to do this)
http://www.postcastserver.com/help/Port_25_Blocking.aspx
(someone's mailserver app explaining that you need to find a 'botnet friendly ISP to run their tool.)
Posted by: roustabout 14 Apr 2007
The average home user has no clue what a virus or botnet really is. Sure, they've heard of viruses (maybe botnets too), and have probably even received some dire warning about one in their email. But, far too many home users are unknowingly helping the bad guys of the Internet send SPAM, send spyware, and bring down networks. 9 people out of 10 never even have a clue that they are infected and they don't suffer any ill effects and continue to be a menace to the Internet. Yet, those who actually have a technical clue and have a static IP are blacklisted and suffer greatly. Totally backwards...
Posted by: T.M. 13 Apr 2007
Have your say on this article
Newsletters
Latest stories from Security Technology
Latest videos
You may also like
Security Technology jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
