[Elecraft] Earthlink ISP problems

[k4wtf@EnterZone.Net]

On Sat, 19 Apr 2003, Denis Dimick wrote:

> 
> On Sat, 19 Apr 2003 k4wtf@enterzone.net wrote:
> 
> > Incoming vs outgoing depends on your point of view.  As an NSP our,
> > "customers" RETRIEVE their email using either POP2/POP3 on port 110 or
> > IMAP on port 143.  When they SEND email, they inject it to their SMTP
> > server on port 25.
> 
> Dont know what an "NSP" is, so I'm going to assume it's some type of 
> ISP/Sudo ISP. No disrespect intended.. What you have decribed is the 

An NSP is a Network Service Provider.  Consider us the ISP to ISPs.  Those
companies who number our ranks include AT&T, WCG, TWC, UUNET, SPRINT, etc,
etc.  Again, no offense but, if you don't understand this very STANDARD
nomenclature, it is probably moot for you to be trying to argue security
practices or IP protocal interactions with the senior security personnel
of an NSP.


> standard mail setup. However Windows systems should never be runiing a 
> port 25 service. Most endusers send there mail out via port 25, 110 or 
> even 143 on their mail server, which in this case sounds like your 
> server(s).

POP2/POP3 and IMAP (ports 110 and 143) do not accept mail insertion
requests.  They exist for the sole purpose of users retrieving email from
remote mailservers.  I do agree that Win*Blows* machines have absolutelt
no business running *any* critical infrastructure and thus, should not be
running an SMTP (Simple Mail Transport Protocol) server service.

> > Beyond that fact, Earthlink does indeed take steps to block outbound (as
> > in the customer attempting to connect to remote SMTP server) port 25
> > requests to SMTP servers except theirs.  And it does indeed to MUCH to
> > thwart SPAM.  You see, if the only SMTP servers that you can use are those
> > of your ISP and those servers won't relay email for domains other than
> > [INSERT.ISP.DOMAIN], the action causes a much more accurate SMTP header to
> > be generated showing [ISP's Mailserver] as the injection point for the
> > SPAM.
> 
> This is incorrect.. At least it has been for me.. I could connect to any 
> servers port 25. Only incoming requests to port 25 where blocked. You can 
> send mail, just not recieve it to your LOCAL server.

Perhaps you have been connecting via markets that Earthlink does not own
the infrastructure (IE, The don't own the dial ports) and as such, you
have not been completely under their network security blanket.  I know for
fact that it is their corporate policy, one that is enforced strictly, to
block TCP SYN (connection attempts) from dial ports to any remote servers
other than their own mailservers on port 25.  If you yourself were a
member of NSP-SEC, you would know this youeself.  I have verified that you
are not however and as such, I don't expect you to know their security
policy.  I do however expect you to stand down and cease spreading
misnomers that are not based in any part on personal knowledge of the
security policies in place on their network.

> As for blocking users/domiains that fail a reverse-lookup, Earthstink 
> doesn't bother. Very few ISP's and even fewer mail servers do this. One on 
> the main reasons spam still happens.

OK.  Lets keep things technical here and not use "lamens terms."  This is
the Elecraft list after all.  SMTP senders that fail the IN-PTR ==
IN-ADDR.ARPA test are not certain to be INVALID.  This is *NOT* even close
to being one of the mail reasons that SPAM still happens.  One of the main
reasons is that it is so easy for Joe Blow to set up a [pick any operating
system] machine that just happens to include an SMTP daemon.  Joe Blow
doesn't have any clue how to properly administrate, let alone secure an
[insert operating system here] server and as such, he becomes, perhaps
inadvertantly, a SPAM HAVEN, being used and abused by the smammers, until
my counterparts at [insert Joe's NSP] apply the Bright Platinum Baseball
Bat of CLUE to Joe Blow.


> > SPAM will only be stopped by modifying the bahavior of the
> > Spammers.  Short of that, taking away vectors of "anonymous" insertion is,
> > from the NSP point of view, the most responsible approach.  Filtering the
> > mail at the delivery point does nothing to address the fact that the
> > spammers are stealing transport service and causing undue server load.
> 
> I agree with you there, SPAM will only be stoped when the spamers are no 
> longer able to spam. But by not filtering on the local side, your doing 
> the same thing as accepting spam. If you/your users never see the spam, 
> then the spamers will stop sending it. I also use RTB's and block most of 
> Asia. 

Actually, you are, again, misinformed here.  As long as the Spammer
doesn't see a 5xx series error from the SMTP server, they are going to
consider the message as received.  Filtering it at the user level does
absolutely nothing to tell them that you aren't accepting their
spam.  Again, I beg you to inform youself further about the protocols in
question before spewing misinformation that may be consumed by people who
may accept it as scripture.

> > Dennis, I do this for a living and have for the past decade.  I am a
> > member of the NSP Security community.  I interact with the security
> > personell at [insert ANY large network you want] on a nearly daily basis
> > as part of my duties.  I didn't pull this information out of thin air.  It
> > is valid and accurate.
> 
> Was not saying you pulled this out of the air, just that I think your 
> getting port 25 wrong. If your users are injecting e-mail into their local 
> servers, as in not your mail server and your not doing a reverse lookup to 
> ensure that their really who they claim to be, then your probally passing 
> spam along.

"Reverse lookup" is more accurately referred to (by those of us who
actually do this and refer to things by their proper names) as
IN-ADDR.ARPA comparrison.  If you truely knew anything about information
security, you would understand just how easy it is to spoof an
IN-ADDR.ARPA record.  If you have any questions about this, simply
traceroute to 66.35.65.12.  To save you the time, here is what I just made
it resolve to:

this-is-too-easy-to-spoof.whitehouse.gov (66.35.65.12)

> I also do this for a living, and have for some time. I also work for a
> large gov. site. And deal with people everyday with all sorts of
> idea's on how thing work, most of them wrong. Just because someone has
> done something for a long time doesn't mean they know what there
> doing.

And just because someone works for a large .gov site doesn't mean that
they know what they're doing.  Let me clue you in on something
though.  Not only do I work the computer side of things but, I also carry
a large bore firearm and I've got blue lights and siren in my vehicle.  My
boss (on the GOVT side of things) has a title that begins with "Secretary
of" and his first name is "Tom."  If you wish to further discuss this, I
would love to do so in private.  I do however feel that I owe it to the
Elecraft community, a community who has not in the past allowed me to be
fed inaccurate information via this forum, the service of setting the
record straight.

> > Please try to understand the protocols and security countermeasures prior
> > to further spreading disinformation.  For whatever reason, people tend to
> > believe what they read and it is important that that information be
> > accurate.
> > 
> 
> John, I still say you dont understand how smtp works. 

You can say whatever you like.  That is fine with me.  I know that I am
right, my government, Fortune 5, Fortune 100 and Fortune 500 clients know
that I know what I'm doing.

Amateur Radio is a hobby for me.  I do it to relax.  I am a member of the
elecraft list to stay informed about one of the rigs I have built and
operate.  If you feel that you need to be the "big dog" in this forum,
that is fine with me.  I think that the members of the list are informed
enough to do the research and decide which one of us is actually correct
and which one of us decided that they wanted to whiz into the wind hoping
that nothing would blow back on them.  Hint: Subscribing to BUGTRAQ
doesn't count.  Receiving a personal birthday card from the Commander In
Chief just might.

(Happy birthday to me!)

73 de John - K4WTF
President
EnterZone, Inc