This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 30 May 2023
      I'd be more inclined to say "people voting the way the polls said they should..."
    • bobjonkman repeated a notice by hubert 30 May 2023
      RT @hubert I have to laugh and shake my head at Smith calling it a "Miracle on the Praries". No, you were leading in the polls pretty much the whole time. You're in a strongly conservative province. I mean, if you're saying that it's a miracle that the majority of Albertans chose to ignore your […]
    • bobjonkman repeated a notice by blacksam 28 May 2023
      RT @blacksam I’ve been getting more into the game Gaslands with my son and also with adult friends. It’s a Mad Max-esque tabletop game where you’re expected to create your own game pieces by kitbashing with toy cars. I already have all the crafting, painting and 3d printing supplies I need from my other wargaming […]
    • Favorite 28 May 2023
      bobjonkman favorited something by blacksam: I’ve been getting more into the game Gaslands with my son and also with adult friends. It’s a Mad Max-esque tabletop game where you’re expected to create your own game pieces by kitbashing with toy cars. I already have all the crafting, painting and 3d printing supplies I need from […]
    • Favorite 28 May 2023
      bobjonkman favorited something by blacksam: Here are a couple more cars I've made for #gaslands
    • Favorite 28 May 2023
      bobjonkman favorited something by tobias: I'm in need of a little Nerd-Pr0n... what little useful thing comes into your mind as tool of at the Linux command line? Not a super-nerdy command to sophisticated resolve a problem, but a tool for actual problems that would also be useful for n00bs to take their fear about […]
    • bobjonkman repeated a notice by tobias 28 May 2023
      RT @tobias I'm in need of a little Nerd-Pr0n... what little useful thing comes into your mind as tool of at the Linux command line? Not a super-nerdy command to sophisticated resolve a problem, but a tool for actual problems that would also be useful for n00bs to take their fear about using the CLI?So […]
    • Favorite 23 May 2023
      bobjonkman favorited something by steve: From mcnees@mastodon.social on Mastodon: If you aren't too busy, take a minute to look through NASA's Project Apollo archive on Flickr. https://www. flickr.com/photos/projectapoll oarchive/albums This is a totally safe use of your time, you definitely won't look up two hours from now and ask where your morning went. Images: NASA
    • bobjonkman repeated a notice by geniusmusing 9 May 2023
      RT @geniusmusing @lnxw48a1 I have my own workaround for just this issue. I raise my hand to the "Stop/Hold" position. Get to a point where I can stop and leave myself a note on the next thing to do. Then let them interrupt me. I have even done this to my former boss and the […]
    • Favorite 9 May 2023
      bobjonkman favorited something by lnxw48a1: https://www.monkeyuser.com/2018/focus/ This is me.

Archive for the 'dnsbl' Category

Blacklists considered harmful

Posted by Bob Jonkman on 19th November 2009

The black hole that sucks up Internet Addresses

The black hole that sucks up Internet Addresses

BoingBoing points me to a Security Fix article by Brian Krebs called A year later: A look back at McColo on the after-effects of Real-time Blacklists (RBLs) that targeted formerly undesirable IP addresses:

The Internet community typically shuns networks known to harbor spammers and organizations that host malicious software and other nastiness, usually by including their numeric Internet addresses on “blocklists”. Many organizations configure their e-mail servers to reject messages from addresses included on one or more of these blocklists. A heavily blocklisted network quickly becomes unattractive to legitimate businesses, since any e-mail sent out of that network will most likely be refused by the intended recipients.

“The problem is once an address block gets so polluted and absorbed into all these blocklists, it’s difficult to get off all of them because there is no central blocking authority,” said Paul Ferguson, an advanced threat researcher at Trend Micro.

(“Blocklist” is a less pejorative term for “Blacklist”)

The problem is not with the (formerly) malicious site, nor with the keepers of the blacklists, or even the lack of a central blocking authority. The problem is with e-mail server admins or firewall admins who let some unpaid, unaccountable blacklist censor their incoming mail or access to Web pages.

A blacklist should be just one of the criteria used to weight the probability that an incoming e-mail message is spam, or that an http stream contains malware. When I use a blacklist I’ll take into account the blacklist’s opinion of an IP source, but I don’t want a blacklist deciding what I can or can’t receive.

It’s far more reliable to actually examine the content stream for spam or malware instead of relying on a third-party’s opinion of an IP address. Yes, this increases the transaction cost for managing spam and malware, but as these blacklist IP address areas increase there’s an ever greater chance of false positives.

Are you using blacklists? Still think they’re a good idea? Wait until your blacklist gets compromised. An attacker takes control of a blacklist, but doesn’t interfere with its regular operations. Instead, it selectively adds and removes addresses. What better way to impose a DoS attack than maliciously subscribing your target to a well-known blacklist? In fact, for the long con I can see an attacker setting up a blacklist site, and spending a year or two building a reputation. As long as system admins rely completely on that blacklist to block certain IP addresses, those system admins are vulnerable to the whims of the blacklist operator.

I also wrote about the role of blacklists in Blocking Port 25 Considered Harmful, just under a year ago.

–Bob.

(Flickr image “Black Hole” by he who shall used under creative commons license)

Posted in considered harmful, dnsbl | Comments Off on Blacklists considered harmful

Blocking port 25 considered harmful

Posted by Bob Jonkman on 10th December 2008

Coffee cup with a broken handle on a cluttered desk

Coffeine abuse by maciekbor

Over in the Teksavvy Forum at DSLReports Rocky Gaudrault, the owner of my ISP, Teksavvy, started a discussion on blocking port 25 entitled “Argg…. UCEPROTECT… very frustrating!“. This is my reply:

Two cents I’d like to contribute:

The UCEPROTECT service isn’t blocking e-mail, it merely provides an opinion on an IP’s reputation as a mail server. Technically, this opinion is expressed with a DNSBL.

When mail doesn’t get delivered, it’s the receiving mail server that blocks it, not UCEPROTECT. The recipient may reject the mail based on the opinion of the DNSBL, but if that DNSBL gives bogus information then the recipient will be blocking legitimate mail. The fault is with the mail recipient for choosing a poor DNSBL. It’s not Teksavvy customers who can’t send e-mail, it’s the recipients who are refusing to accept it.

Even if Teksavvy did block port 25, there’s no guarantee that poor DNSBL services would whitelist Teksavvy’s servers. DNSBLs are run at the whim of their operators, and they can blacklist anything they like. The people who use these services need to understand that they’re letting someone else decide what mail they can receive, completely out of their control.

Port blocking is ineffective as a spam fighting technique — ISPs started port blocking in 2001, but if port blocking is so good, why is there still spam? Most spam still comes from disreputable bulk mailers running large-scale operations. Remember the McColo servers from a few weeks ago? When that one operation was shut down there were reports that spam volumes dropped by 30%. To fight spam, concentrate on the large-scale spammers.

There are lots of spambots running on poorly protected home computers, but that’s a symptom of poor security. Blocking port 25 won’t fix the security problem. To fight poor security it’s far better to identify the compromised computers, and provide them with tech support to fix the problem. Teksavvy is in a better position to do that than any other service provider I know.

There is no benefit to Teksavvy customers in blocking port 25 — It doesn’t protect Teksavvy customers from spam. It might protect other ISP’s customers from Teksavvy spammers, but it also denies Teksavvy customers full access to the Internet. Full, unblocked access is one of the main differentiators that Teksavvy brings to the market. Don’t give that up, Rocky.

Blocking ports also prevents legitimate services. ESMTP extensions like DSN rely on a direct connection to transfer Delivery Status Notifications. If a relay server doesn’t implement DSN then status notifications don’t get through. If port blocking is turned on, the smart host providing the relay service had better implement every ESMTP extension that exists. And that could still block other services that rely on unfettered access to port 25 (iMIP anyone?)

Blocking one port today is the thin edge of the wedge to blocking other services. Already I’ve seen requests for blocking ports 137 and other Netbios ports. If Teksavvy starts port blocking then every time there’s a new vulnerability the Teksavvy execs will need to agonize over whether to block or not. DNS is broken? Block port 53. There’s child porn on Usenet? Block port 119. CRIA threatens to shut down encrypted filesharing? Block port 443. If Teksavvy has a policy of no port blocking, all these decisions are moot.

I left Rogers because of port blocking, and came to Teksavvy because of unfettered access. Please don’t take that away.

–Bob.

Coffeine Abuse by maciekbor is used under a CC-BYCreative Commons Attribution license.

Posted in considered harmful, dnsbl, dslreports, port blocking, smtp, teksavvy | 7 Comments »

 
Better Tag Cloud