Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Phil Mayers
Mon Feb 9 17:13:14 PST 2004

On Mon, Feb 09, 2004 at 02:28:34PM -0800, Karsten M. Self wrote:
> You can't prevent errors (fail-proof).
> You *can* make errors evident, and offer an alternative (fail-safe).
> In an environment in which the do-nothing alternative already breaks --
> your users can't sort through spam, trigger viruses, lose legitimate
> mail; your mailservers can't handle the load -- then the alternative of
> taking some really wicked swipes at the problem is preferred.  Look at
> my recently posted spam-by-ASN plots.  I can kill 25% of my spam, cold,
> by blocking several major networks from which I personally see zero
> legitmate traffice, to an arbitrary number of nines.  By several, I mean
> six to ten.  That's a really cheap first cut at the problem.

Here here. More to the point, AS numbers and the infrastructure to
support them are finite and non-trivial resources to deploy. By blocking
a spammers AS, therefore reducing its value, you directly attack the
economic reasons for spam i.e. spam is cheap. Getting a whole new ASN is
cheap, but only so many times. Getting an ISP that filters your AS from
the AS path is not especially hard, but then that ISP finds itself
blocked, rather than their evil customer. Moving ISPs is only cheap
until your business is so troublesome as to have a premium.

The irony is that I can see a business for floating homing coming up
using e.g. rapidly-rerouted IPSec tunnels and NAT. Packet anonymisers -
it's Cryptonomicon, but for the *bad guys*...

I would love to be able to kick illegitimate ASNs from our network
entirely by firewalling. Sadly, I work in an academic environment, where
people are rather more vocal about freedoms etc. to use systems, which
is fair as indirectly they pay my salary (having said that, they're
pretty vocal about their freedoms to email everyone in the address book
with a 200kb work document, so maybe I'm cutting them more slack than I
should be).

On the other hand, we're upgrading out SpamAssasin shortly and our
security officer is getting twitchy about newer SA versions querying the
various DNS BLs.

"But they're well dodgy! It's all bearded free software freaks."

This from a former SQL server administrator and now *Gentoo* user, ick

He can insist all he wants, but *my* email is going to check those BLs

> > I agree that it's better to discard viruses that you can identify
> > reliably, but that still makes me uncomfortable.
> Life makes me uncomfortable.  What do you suggest?

Strong drugs, or develop the abilities to subsume your discomfort by
talking to soft toys (I call it "fluffware").


Politically it's a very interesting point. Paul Vixie was recently asked
on nanog if he thought a "Fortune 1000" network, the eventual result of
a "known, trusted sources only" policy like Yahoos stamp thing, was
good. He replied something to the effect of:

"Well, we're going to have that anyway, which is fine with me. I don't
have any friends who use Yahoo."

How uncomfortable do you feel telling people "Oh, you're on Yahoo. I
won't be able to get email from you because I didn't let the fascist
overlords of the Commercial Internet co-opt me."

I'm with Paul Vixie on this - all the people *I* want to talk to have
co-los or good ISPs :o)



| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |

More information about the linux-elitists mailing list