[Lilux-help] port 25 blocking by ISPs

Eric Dondelinger aim at vis.ethz.ch
Fri Jul 2 08:44:46 CEST 2004 

Hi,

On Thu, 1 Jul 2004, Patrick Kaell wrote:

> Eric Dondelinger wrote:
>
> > I've got LuxDSL. I constantly send mail from here with other
> > domains than pt.lu. mailsvr.pt.lu relays it for me - as I'm
> > on the P&T network. As you know about SMTP servers, I'll just
> > say "smarthost".
>
> Now, mail coming from mailsvr.pt.lu do not need to be from a @pt.lu
> address, right? It can be @sex.com and so on?

That's about the idea. I actually use it for @linux.lu, @vis.ethz.ch.
I sure don't use it for my @pt.lu, which is a spam-only account.

> Until now it was enough to
> block dialup address ranges in a Black List. Now it is neccessary to add
> mailsvr.pt.lu to the Black List, to be protected?

Of course not. It relays mail coming from P&T networks, and it
will accept mail for @pt.lu accounts. That's it. That's what
it's supposed to do.
If it accepted to relay mail from anybody to anybody else, then
it would be an open relay, and would merit a blacklist entry.
But that's not what it does.

> A worm on your PC can
> send a mail to anybody using anybody's mail address using mailsvr.pt.lu.

I don't know any worm that will look up your outgoing mail server
settings and send itself out via that machine. I'll be happy to
learn about such worms.

> And the worm does not need to be ultrasmart to find the hostname
> mailsvr.pt.lu in the config files of your mail client.

I agree it would probably be trivial to implement, I've just not
seen it anywhere.

> > Of course! You're on his network, he knows who you are - the
>
> They do not know that the mail address you are using is yours. Only the
> mail provider does know this.

That's true. P&T does not know I have an account @linux.lu, they
don't know I have one with @vis.ethz.ch, or some @gmx.net.
They still know who connected when, got which IP address, sent
mail via their server - if they receive complaints, their client
will get his/her head washed.

> > moment you're dialing in! If you abuse the service, bye bye
> > your account, and chances are you'll hear from the ISPs lawyers
> > or at least from their billing service.
>
> For this you don't need to block port 25. Logging would be sufficient.

You'd have to to quite some logging to be able to differentiate
whether the traffic were legitimate or not. Certainly enough to
make any "Datenschuetzer" cringe.

> You will take away the account of everybody who is invected and who
> sends nonsense through mailsvr.pt.lu?

Those would get warned to clean up their mess. Repeat offenders
cut off until the mess is actually cleaned.
Spammers would get a harsher treatment.
I still have to say that I've rarely seen luxembourgish spam - half
a dozen or so in several years. There was one quite evil one among
those, which claimed to have a ministerial ok... the ministry didn't
appreciate, and took appropriate measures.

> At least if the worm would send
> directly through port 25 to the recipient's mail server, the recipient
> could block it by finding the dialup IP address in the Black List!!!

That's what's being done now, via DULs.

> > There is no security in checking To: and From: fields (i.e. the
> > mail's body). There's not even much point in checking the
> > envelope From:. That's for the case of users *on the ISPs network*.
>
> Sure. My provider's mail servers only accepts mails from addresses which
> exists on their server.

You're now talking *receiving* mails I assume. I was only talking
about *sending*. Two different pairs of shoes.
If really you're talking about sending - how would you want to
implement that on mailservers relaying for a number of different
organizations, with no chance of ever getting access to the
complete user database?

> And they are on a white list and can be trusted
> which can't definitely not be said for mailsvr.pt.lu anymore!

mailsvr.pt.lu does know (AFAIK) the users having @pt.lu addresses
(maybe others, I dont't know). I'm quite sure it won't accept
mails coming from the outside if it's not defined as the MX for
the target domain. If it did, it would be an open relay.

> >>Why on earth do you think that *every* mail provider (GMX, Web.de,
> >>Puretec, ... offer a SMTP service????
> >
> > Maybe so that spammers can easily open up an account, use it
> > for a spam run, and forget it afterwards? It's not like GMX,
> > web.de & Co do a thorough job of verifying the data you provide
> > them when opening up an account...
> > Using a company mailserver that way would make more sense.
>
> No, spammers do not do this. They definitely do not use @gmx.net, etc.
> sender addresses. The addresses are almost always faked, only the DNS
> part exists. Spammer nowadays use infected PCs to send mails directly to
> the recipient.

Correct, so far. zombies make for 80% of spam (at least until
before the Comcast story). Most of the remaining goes via open
relays, maybe some formmail scripts etc.

> As I understand you correctly, their infected PCs will
> use mailsvr.pt.lu in the future if they have infected a PT customer,
> right? (just as an example, they *will* find the hostname in the mail
> client's config files, be it mailsvr.pt.lu or something else).

In the future maybe. Not at this point, AFAIK.
Also, if the server implements AV software, a worm spreading
via mail would be simple to stop at that point (minus AV update
delay).

> > Indeed, authenticated SMTP can help there - it would be a grave
> > mistake for such a setup to accept plain SMTP (open relay, as it
> > would be trivial to fake the domain part).
> > I still don't see a point in going to an external service -
> > unless your ISPs mail server is extremely unreliable, which
> > would be a reason to find another ISP.
>
> To protect Black List protected mail servers against you (see above).

I'm not sure I understand what you're saying here.

> > Still, normal procedure is to use the ISP's mailserver for
> > outgoing mail, and access the mail provider's server through
> > POP3/IMAP/whatever to retrieve your mail.
>
> This is rather unconventional. Never heard this!

Say what? I've seldom seen it any other way.

> > I know perfectly well. And every normally set up mail client
> > sends their mail through the ISPs mailserver. Using other mail
> > servers, even through smtp-auth, is not usual.
>
> No, see above.

Hmm. NACK.

> >>I have 5 years experience with mail servers, know the SMTP protocol, the
> >>sendmail.cf file and already have worked for an ISP!!!
>
> I have patched (yes I am a C programmer) gnu-pop3d to implement SMTP
> after POP3 with sendmail for our customers. Nobody used the SMTP service
> of the dialup provider. This was 2000-2001. So I know the szene.

If you know the scene, I'm *really* surprised you haven't seen
that kind of setup.

I propose continuing the discussion around a beer keg. It'll be
more fun, and simpler to avoid misunderstandings.

Greets Eric

More information about the Lilux-help mailing list