Reverse Firewalls As An Anti-Spam Tool 513
An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""
This isn't normal behavior? (Score:2, Informative)
Great Reverse Firewall for Mac OS X (Score:5, Informative)
A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.
Re:And who will control what to control? (Score:5, Informative)
Re:reverse firewall? what? (Score:2, Informative)
Outbound firewall is still firewall, not "reverse firewall" or "anti firewall" or
Re:This isn't normal behavior? (Score:3, Informative)
Re:Oh yeah, router manufacturers will buy this... (Score:4, Informative)
"Virii" is, and let me put this gently, not a goddamn word. I say this not just for your sake, but in the hope that at least a hundredth of the people operating under this painful warping of the english language. Read this, I beg you [archive.org], and stop making me - and anyone who knows the word - cringe.
Re:Not just for spam! (Score:1, Informative)
On those routers, it provides functionality. It allows software the ability to portmap itself to allow functionality as a server. For P2P, for instance, that's a boon.
On a firewall specifically designed to block outgoing attacks, that it a worthless function. It would, however, allow malicious programs free access, making it worthless.
If you can't see the difference, you're hopeless.
Re:And who will control what to control? (Score:3, Informative)
Re:A better idea... (Score:5, Informative)
It seems your proposing the same argument the article does. Basically security needs to be enabled by default. The internet is no longer a place where you can trust. They are suggesting a hardware fix, your suggesting software.
Either way it will most likely require some pretty big players like AOL or Microsoft to implement it before it would achieve critical mass. Designing a different way of doing things isn't hard, it's getting everyone else to agree to it and use it.
AOL started implementing SPF to stop spam. If AOL/MSN/Yahoo all decide to stop accepting mail that doesn't come form SPF using sites, adoption should happen in about a fortnight.
Re:This isn't normal behavior? (Score:2, Informative)
Re:Obligitory form-letter post (Score:5, Informative)
(x) Users of email will not put up with it
Actually if implemented properly (allowing people to configure it) people WILL put up with it..
(x) Requires immediate total cooperation from everybody at once
No. Every user that gets one of these things helps.
(x) Lack of centrally controlling authority for email
Huh?
(x) Open relays in foreign countries
No. Every user that gets this helps.
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
I think this is practical. Just like a regular firewall is practical. (Might as well make this thing a proper full blown hardware firewall)
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
Pardon?
(x) This is a stupid idea, and you're a stupid company for suggesting it.
Yes - very amusing. We're all laughing at your stupidity.
This is not a fix-all solution. But it's a simple solution that would help to alleviate some of the spam problem.
Just to be pedantic (Score:5, Informative)
A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.
Re:Incorrect analysis. (Score:3, Informative)
Sam
Comment removed (Score:3, Informative)
Re:This isn't normal behavior? (Score:3, Informative)
On the mail server front, while many smaller sites send mail from MX listed servers, this isn't always true at larger sites (such as most ISP's) as they use different sending servers than receiving servers. This is what SPF, domainkeys, etc are supposed to take care of. Until they are universally adopted, blocking based on those DNS records (or lack thereof) will not be effective.
Re:This isn't normal behavior? (Score:5, Informative)
You mean, like Firestarter?
http://firestarter.sourceforge.net/
It doesn't require any knowledge to configure the firewall.
Re:And who will control what to control? (Score:2, Informative)
bb 1984/tcp BB
bb 1984/udp BB
Re:Dangerous twaddle (Score:4, Informative)
I've run a redhat/dsl box in my basement for four years. Until 6 months ago I had real internet access. Then they blocked outgoing SMTP. I'm running several mailing lists -- High school alumni with about 60 or so people per list. One in particular can get quite active. I also send out newsletters regarding an upcoming event to 100 people or so.
Reworking exim to use the ISP's SMTP server wasn't a problem, until they actually started counting outgoing emails and disabled my account for a day due to >300 emails/hour.
I figured it was time to move from my "grey" basement server to a commercial host. I was amazed at the price for what I wanted -- $8/month or less! I signed up and had things working in a few hours.
It took a few days before problems really started to appear. Lots of people didn't appear to be getting email from the lists. More research showed that, in fact, although they advertised mailman lists, they still limited outgoing emails to ~60/hour or less.
Two months later, I'm still with them. Looking around I've found that just about everyone puts those same anti-spam limits on ougoing email. Not having limits labels a provider as being "spam friendly", and I am the one suffering. The best I could find without limits was $35/month, which is steeper than I would like.
"We have met the enemy, and he is us!"
Michael
It's Called ZoneAlarm (Score:1, Informative)
Great for stopping those pesky programs that like to "phone home to mother" without your permission.
Re:Great Reverse Firewall for Mac OS X (Score:3, Informative)
As long as you make sure requests to "localhost" are allowed, you should be OK.
Nathan
Re:Software firewalls already do this. (Score:3, Informative)
Re:This isn't normal behavior? (Score:2, Informative)