Reverse Firewalls As An Anti-Spam Tool

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

Comment removed

[account_deleted]

Comment removed based on user account deletion

And who will control what to control?

[jrockway]

Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?

This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.

A better idea...

[SixDimensionalArray]

Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?

Re:Wouldn't software firewalls do this as well...

[Mistlefoot]

Absolutely.

I'm not sure this is an option that the average windows user (and almost anyone sending out spam on their virus laden pc uses windows) would find simple.

Working as a support tech and dealing with mainly connectivity issues, I've learned that the number one issue blocking users from desirable online actities or access itself is a firewall. It used to be that the first troubleshooting step was to check the connections. Now it's become, check for firewalls.

I'm not sure the average windows user would find this a simple solution.

Re:And who will control what to control?

[dhakbar]

Force?

You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?

The Journey of 1,000 miles

[agentxy]

Great Idea! New technical concepts and products always excite me. We must keep one thing in mind however, hackers/crackers/spammers/whatever you want to call them are clever and very imaginative people. Single concepts and technologies will be overcome and bypassed. The security/spam fight needs to be a continuous and evolving process. One cannot simply rely on a single product or conceptual model to end malicious actions. When people start realizing that keeping computers secure is a process and NOT a product, the world will be a lot safer and secure.

Why this might be a good idea for this problem

[Anonymous Coward]

SMTP is limited to one port (25), and most people are simply not sending out hundreds of emails per hour. A simple bit of rate limiting of the outgoing traffic (say 60 emails per hour) wouldn't even be noticed by 99% of home users. The other 1% probably knows what they're doing and could disable it. 60 per hour is plenty for the average person, but a hinderance to a spammer.

Reverse firewalls?

[afay]

First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.

The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.

It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.

Re:Not just for spam!

[DAldredge]

For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...

Re:Are they user proof?

[black mariah]

Why put the onus on the consumers, when it is the ISPs who seem to be failing us?

Because the users are the ones that have the "FREE PORN NOW" software on their computer that creates all that spam in the first place. Always look towards user stupidity for your first answers.

I undrestand...

[altaic]

that spam is a difficult problem to solve, but that is the most idiotic idea I think I've ever encountered. That's like making it difficult to do encryption to prevent terrorists from communicating safely. Granted, "normal" people's computers are a vessel for spammers, but it's asinine to limit normal people's hardware. Why not fix the problem at the source and work on making consumer's computers secure? The day I find out my DSL modem is blocking ports or something like that is the day I wreck the thing while trying to fix it. I mean, really.

Re:And who will control what to control?

[Anonymous Coward]

Did you actually read anything?

He says reverse firewalls should be embedded in every cable modem and wireless access point for home users.

He certainly does think it would be a good idea to require a reverse firewall before connecting to the internet.

Idea becomes discussion ... discussion becomes policy ... policy becomes law. And Dhakbar says "Why, O!, why did this happen?"

How much will it be useful ?

[abhinavmodi]

While it is true that the reverse firewall will stop too much traffic from a "home" computer, there are some aspects of this which raise interesting questions: 1. How much is "too much" ? How is this decided? 2. What abt proxies to circumvent this? 3. The majority of spam, generated is probably not from a home computer. 4. Modern firewalls can be configured for outbound filtering as well. How radically will the propsed scheme be different from this? Correct me if i am wrong in any of the assumptions above. If we are achieving too less while applying too much effort, the low of economy wouldnt justify this.

Re:And who will control what to control?

[Donny Smith]

> Outbreak of mental illness: Anger problem

No, that is the right response to a dumb ass comment. If someone doesn't understand something, that's fine - it probably can be learned - but the assertive attitude combined with utmost stupidity and ignorance goes on most people nerves.

The only "problem" is that he cares and can't take it any more. In the old times most comments (and stories) used to be fairly intelligent. In case you haven't noticed, it's been getting real bad - now about 20% of content is useful/informative/worthwile and 80% is indistinguishable from any other forum.

Re:Wouldn't software firewalls do this as well...

[halowolf]

This is a good point, because for Joe Average they maybe able to use their computers, but they certainly do not understand how they work. And to keep a computer running well, you need to understand how they work, or have someone close to them that knows how they work to maintain them. When it comes to firewalls and such, a more advanced computing topic, its hard enough for Joe Average understand why its desirable to have one let alone how to configure one effectivly to protect them on the internet.

I know there are products like ZoneAlarm and such to try and make it easier for non technical users to use them, but Joe Average people will be baffled by them since they don't understand how networks work and everything that goes with that.

There is research into making computers self maintainable and repair themselves and such but its a long way away from making the Joe Average safe to use a computer on the internet. Alot more work needs to go into transparent computer adminstration systems that free Joe Average (and their administrators, family computer lackeys etc) from having to deal with computer problems that could be solved or avoided, with what we would consider common sense.

There seem to be alot of misconceptions.

[Artega VH]

This would limit the rate of outgoing emails (or presumably anything else) to a limit that most people wouldn't hit in normal use. If implemented this limit would be configurable in the "firewall" so that users who know what they are doing can alter it.

It is different to software "reverse firewalls" such as Zonealarm as it couldn't easily be turned off by viruses and the like. But on the other hand it lets anything through once.

It would be beneficial to prevent the massing hordes of clueless broadband users from being juicy targets to the spammmer - since each zombie could only send out a pathetically tiny number per hour.

Re:Off by default

[benna]

I would be seriously pissed off if I could only use their SMTP server. Spam may be a problem but I'd rather have spam and an internet connection that I chose the way I use then to lose that freedom and spam. But then hey I'm just some wacko that values freedom over safty from terrorism.

Re:And who will control what to control?

[hoferbr]

IMHO, I think you're missing the point. The article states that the reverse-firewall would block traffic from specific ports that used the computer as, quoting the article, "a group of "zombie" machines hijacked to distribute huge amounts of fraudulent e-mail or launch denial-of-service attacks without being traced directly."
If you want access to a blocked port, i'm shure that you could easily open it. But this is not about "computer experts" or something like that, this reverse firewall aims the average computer user. They are the ones whose computers are beeing used as spam spreaders by someone else.

Re:A better idea...

[KillerCow]

I have to agree with this. SMTP was designed when all of the machines involved were trusted. That isn't the case anymore. Since a design assumption has been fundamentally broken, it needs to be redesigned.

We shouldn't be grafting band-aids and restricting the network model to fix a single broken protocol. SMTP is the problem. Fix it and leave everything else alone. You wouldn't propose mucking around with TCP because any other application layer protocol was broken.

Re:Off by default

[gerardrj]

There are several very good reasons to use your own email server instead of your ISPs:

1. You can use any domain name(s) you want so you don't every have to change your address as you change ISPs.

2. Your ISP (or anyone else) can't read your mail while it's sitting on your own server. They can read it when it sitting on their server.

3. SPAM prevention. when you run your own server you can alias your account as many times as you wish, and are able to add/delete aliases instantly and at will. When you give a unique address to each entity. If you get spam on an address, you delete it and create a new one.

4. No limits on message content or size. Many ISPs limit the size of attachments. Granted, SMTP is not meant as a file transfer protocol, but that's not a reason to arbitrarily limit the size of messages.

5. Notification. When you own the server and new mail comes in you have have the server forward the mail to multiple places, or run scripts to notify you on a pager, via telephone, etc.

6. Reliability. At least with My ISP, my mail server has a higher availability than theirs. Because of the load on the server from SPAM, it goes down fairly regularly and is frequently backlogged. Sure this is just poor admin on their part, but with my own server it doesn't affect me.

Re:This isn't normal behavior?

[Christopher Cashell]

Even for LAN firewalls, this is, or should be, normal behavior.

I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.

Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.

Come on, guys. Let's all do our part to stop spam. Every little bit helps.

Re:The downside of free speech.

[geminidomino]

I personally feel that spam blocking is the burden of the receiver, just by the nature of the email protocol.

All well and good, until /. runs another story about SPEWS blocking yet another idiot site who decided to save money by hosting at a spamhaus. THEN nobody has the right to BLOCK spam either, so they can get their email from BBR.

And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.

Then you have no idea what the 1st amendment is all about. Hint: If I tell you to STFU or get out of my store, I'm not violating your first amendment rights, because I'm not the government. Same goes for my email servers. 1st amendment Freedom of Speech/Assembly/etc... protection applies to the government.

Re:Oh yeah, router manufacturers will buy this...

[FFFish]

Virii may not be a word, but it is fun. And it's a little bit viral, too, because the more people use "virii," the closer it comes to being standard English. Which, as you must surely know, is choc-a-bloc full of mangled words.

Virii: don't pass on it, pass it on!

Software firewalls already do this.

[syousef]

I use zonealarm. Most of the time its a nice sane product, and the price can't be beaten.That gives me an alert every time a new piece of software tries to access the net, for both outgoing and incoming connections. I then get to choose whether to always allow the program to make the connection, or just allow that particular instance.

Only problem is its impractical to disallow common programs from connecting for themselves. So a trojan infecting one of these would make this feature useless. Perhaps what we need is an "allow x number of connections per y time" feature. That would stop floods and DDOS attacks at least.

ZoneAlarmPro

[v1x]

ZoneAlarmPro is best known for its ability to block to control outgoing traffic. However, lesser known is its ability to control outgoing email, by specifying which applications can send email, along with how many emails are sent at once before an alarm is raised about possible virus/worm, and the offending application is frozen by ZoneAlarm until the user intervenes & allows it permission to do so. So, the functionality of the reverse firewall to reduce spam that the author is asking for is already available.

Re:Why this might be a good idea for this problem

[cujo_1111]

I'd love to see a change to the SMTP spec so that the first 100k of any email is severely rate limited on a per connection basis.

So, you send out an email with a 2 MB attachment, everything works as usual, save for the slower first 100k.

How would this impact the spammers?

They would just send fewer emails with more people in the BCC list. One email gets sent from the client and then the load gets put onto the servers sending it to all the recipients.

Putting in arbitrary delays will only piss more people off. Sure, getting more people angry about SPAM may be a good thing to try and wipe it out but I think you may be going about it the wrong way.

Re:Off by default

[Marlor]

There are several very good reasons to use your own email server instead of your ISPs:

1. You can use any domain name(s) you want so you don't every have to change your address as you change ISPs.

You can do this easily with email forwarding by your domain registrar. Most charge less than $10/year for the service. As an added bonus, if your mailserver machine goes down for whatever reason, you will still get your mail. If your domain registrar doesn't offer this, you could easily get it from somewhere like DynDNS.

2. Your ISP (or anyone else) can't read your mail while it's sitting on your own server. They can read it when it sitting on their server.

If you're really worried, you will use PGP or GPG. If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.

3. SPAM prevention. when you run your own server you can alias your account as many times as you wish, and are able to add/delete aliases instantly and at will. When you give a unique address to each entity. If you get spam on an address, you delete it and create a new one.

The aforementioned email forwarding services do this too.

4. No limits on message content or size. Many ISPs limit the size of attachments. Granted, SMTP is not meant as a file transfer protocol, but that's not a reason to arbitrarily limit the size of messages.

Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end. I see attachments over 5MB as tantamount to DOS attacks. A company I worked for used to have a policy of unlimited sized attachments, until lusers started attaching 500MB files.

5. Notification. When you own the server and new mail comes in you have have the server forward the mail to multiple places, or run scripts to notify you on a pager, via telephone, etc.

Have you heard of fetchmail?

6. Reliability. At least with My ISP, my mail server has a higher availability than theirs. Because of the load on the server from SPAM, it goes down fairly regularly and is frequently backlogged. Sure this is just poor admin on their part, but with my own server it doesn't affect me.

I'd quickly find a new ISP if this was the case. I know that my ISP's mail server certainly has higher availability than any PC in my house - although that is mainly because blackouts are more frequent here than in most places, and because ISDN is the best connection available here. However, if your ISP has less than 99% availability on their mailservers, there is something very wrong.

Dangerous twaddle

[cardpuncher]

Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.

If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.

Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.

Re:Off by default

[Phil Karn]

If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.

Many (most?) MTAs now support the STARTTLS SMTP command. Set up your own mail server, create a self-signed certificate, and a remarkable fraction of your email will be automatically encrypted during the transfer. Even much of my incoming spam is encrypted in this way. Since it comes from all over the world, this actually serves as a useful mask for anyone doing traffic analysis.

Your ISP could still intercept your mail with a man-in-the-middle attack, but that's far less likely than browsing your mail files on their server.

I'd quickly find a new ISP if this was the case.

Well, mail server unreliability is a problem with many ISPs. Even though my ISP's server works most of the time, I still can't log in and run "mailq". I do that regularly with my own server, and I depend on it.

Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end.

While I personally avoid sending large attachments, I can't reasonably object when it's done between consenting parties. So I don't see this as a valid argument against personal mail servers, but rather a strong argument in favor since the ISP's mail admin doesn't have to be a consenting party.

Have you heard of fetchmail?

Do you really want it to poll every minute? When you run your own mail server, you don't have to decide between overhead and quick notification of incoming email. Maybe you don't see the need to be notified of new email that quickly, but what right do you have to impose your personal preferences on others?

The bottom line is that I feel very strongly that there are many perfectly valid reasons for individuals to run their own mail servers, and no ISP should deny them this right as long as they don't bother anyone else, e.g., by sending spam.

This isn't just about the right to run personal email servers. It's about something much more important and fundamental: preserving and protecting the end-to-end model that made the Internet such a success. If we permit ISPs to encroach on the end-to-end principle for what may appear to the naive person to be "worthy" reasons, it won't end until it becomes almost impossible to innovate with new and useful end-to-end services.

Re:Off by default

[egburr]

My best advice if you don't like your ISP's servers is find one that works better.

I did exactly that. My mailserver works better for my purposes than that of any ISP I have ever used. I found what works best for me and implemented it. Who are you to say that my solution of running my own mailserver is wrong?

All those other reasons you lumped together as "specious excuses" are valid reasons. An ISP typically has hundreds, thousands, or even tens of thousands of users. They have massive mail servers that are designed to provide service to those vast quntities of users. My mail server is used by only a very few people (4). It is a lot more suitable for my needs than my ISP's server is.

Yeah right...

[Anita Coney]

And the cable companies would NEVER use it to shut down things they don't like, e.g., online gaming servers, p2p programs, etc.

Re:A better idea...

[Jahf]

That's your fault for not implementing a checking algorithm when the users are changing their passwords.

We had a password checker for our users (when I was at an ISP) that prevented stupid user dictionary attacks back in 1994/1995. A little user hassle at that bottleneck prevents a world of hurt later on.