Reverse Firewalls As An Anti-Spam Tool 513
An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""
Comment removed (Score:2, Insightful)
And who will control what to control? (Score:3, Insightful)
This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.
A better idea... (Score:5, Insightful)
But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?
Re:Wouldn't software firewalls do this as well... (Score:4, Insightful)
I'm not sure this is an option that the average windows user (and almost anyone sending out spam on their virus laden pc uses windows) would find simple.
Working as a support tech and dealing with mainly connectivity issues, I've learned that the number one issue blocking users from desirable online actities or access itself is a firewall. It used to be that the first troubleshooting step was to check the connections. Now it's become, check for firewalls.
I'm not sure the average windows user would find this a simple solution.
Re:And who will control what to control? (Score:5, Insightful)
You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?
The Journey of 1,000 miles (Score:2, Insightful)
Why this might be a good idea for this problem (Score:1, Insightful)
Reverse firewalls? (Score:5, Insightful)
The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.
It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.
Re:Not just for spam! (Score:3, Insightful)
Re:Are they user proof? (Score:2, Insightful)
I undrestand... (Score:3, Insightful)
Re:And who will control what to control? (Score:3, Insightful)
Did you actually read anything?
He says reverse firewalls should be embedded in every cable modem and wireless access point for home users.
He certainly does think it would be a good idea to require a reverse firewall before connecting to the internet.
Idea becomes discussion ... discussion becomes policy ... policy becomes law. And Dhakbar says "Why, O!, why did this happen?"
How much will it be useful ? (Score:2, Insightful)
Re:And who will control what to control? (Score:3, Insightful)
No, that is the right response to a dumb ass comment. If someone doesn't understand something, that's fine - it probably can be learned - but the assertive attitude combined with utmost stupidity and ignorance goes on most people nerves.
The only "problem" is that he cares and can't take it any more. In the old times most comments (and stories) used to be fairly intelligent. In case you haven't noticed, it's been getting real bad - now about 20% of content is useful/informative/worthwile and 80% is indistinguishable from any other forum.
Re:Wouldn't software firewalls do this as well... (Score:3, Insightful)
I know there are products like ZoneAlarm and such to try and make it easier for non technical users to use them, but Joe Average people will be baffled by them since they don't understand how networks work and everything that goes with that.
There is research into making computers self maintainable and repair themselves and such but its a long way away from making the Joe Average safe to use a computer on the internet. Alot more work needs to go into transparent computer adminstration systems that free Joe Average (and their administrators, family computer lackeys etc) from having to deal with computer problems that could be solved or avoided, with what we would consider common sense.
There seem to be alot of misconceptions. (Score:3, Insightful)
It is different to software "reverse firewalls" such as Zonealarm as it couldn't easily be turned off by viruses and the like. But on the other hand it lets anything through once.
It would be beneficial to prevent the massing hordes of clueless broadband users from being juicy targets to the spammmer - since each zombie could only send out a pathetically tiny number per hour.
Re:Off by default (Score:3, Insightful)
Re:And who will control what to control? (Score:4, Insightful)
If you want access to a blocked port, i'm shure that you could easily open it. But this is not about "computer experts" or something like that, this reverse firewall aims the average computer user. They are the ones whose computers are beeing used as spam spreaders by someone else.
Re:A better idea... (Score:4, Insightful)
We shouldn't be grafting band-aids and restricting the network model to fix a single broken protocol. SMTP is the problem. Fix it and leave everything else alone. You wouldn't propose mucking around with TCP because any other application layer protocol was broken.
Re:Off by default (Score:5, Insightful)
1. You can use any domain name(s) you want so you don't every have to change your address as you change ISPs.
2. Your ISP (or anyone else) can't read your mail while it's sitting on your own server. They can read it when it sitting on their server.
3. SPAM prevention. when you run your own server you can alias your account as many times as you wish, and are able to add/delete aliases instantly and at will. When you give a unique address to each entity. If you get spam on an address, you delete it and create a new one.
4. No limits on message content or size. Many ISPs limit the size of attachments. Granted, SMTP is not meant as a file transfer protocol, but that's not a reason to arbitrarily limit the size of messages.
5. Notification. When you own the server and new mail comes in you have have the server forward the mail to multiple places, or run scripts to notify you on a pager, via telephone, etc.
6. Reliability. At least with My ISP, my mail server has a higher availability than theirs. Because of the load on the server from SPAM, it goes down fairly regularly and is frequently backlogged. Sure this is just poor admin on their part, but with my own server it doesn't affect me.
Re:This isn't normal behavior? (Score:5, Insightful)
I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.
Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.
If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.
Come on, guys. Let's all do our part to stop spam. Every little bit helps.
Re:The downside of free speech. (Score:3, Insightful)
All well and good, until
And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.
Then you have no idea what the 1st amendment is all about. Hint: If I tell you to STFU or get out of my store, I'm not violating your first amendment rights, because I'm not the government. Same goes for my email servers. 1st amendment Freedom of Speech/Assembly/etc... protection applies to the government.
Re:Oh yeah, router manufacturers will buy this... (Score:2, Insightful)
Virii: don't pass on it, pass it on!
Software firewalls already do this. (Score:3, Insightful)
Only problem is its impractical to disallow common programs from connecting for themselves. So a trojan infecting one of these would make this feature useless. Perhaps what we need is an "allow x number of connections per y time" feature. That would stop floods and DDOS attacks at least.
ZoneAlarmPro (Score:3, Insightful)
Re:Why this might be a good idea for this problem (Score:2, Insightful)
So, you send out an email with a 2 MB attachment, everything works as usual, save for the slower first 100k.
How would this impact the spammers?
They would just send fewer emails with more people in the BCC list. One email gets sent from the client and then the load gets put onto the servers sending it to all the recipients.
Putting in arbitrary delays will only piss more people off. Sure, getting more people angry about SPAM may be a good thing to try and wipe it out but I think you may be going about it the wrong way.
Re:Off by default (Score:3, Insightful)
1. You can use any domain name(s) you want so you don't every have to change your address as you change ISPs.
You can do this easily with email forwarding by your domain registrar. Most charge less than $10/year for the service. As an added bonus, if your mailserver machine goes down for whatever reason, you will still get your mail. If your domain registrar doesn't offer this, you could easily get it from somewhere like DynDNS.
2. Your ISP (or anyone else) can't read your mail while it's sitting on your own server. They can read it when it sitting on their server.
If you're really worried, you will use PGP or GPG. If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.
3. SPAM prevention. when you run your own server you can alias your account as many times as you wish, and are able to add/delete aliases instantly and at will. When you give a unique address to each entity. If you get spam on an address, you delete it and create a new one.
The aforementioned email forwarding services do this too.
4. No limits on message content or size. Many ISPs limit the size of attachments. Granted, SMTP is not meant as a file transfer protocol, but that's not a reason to arbitrarily limit the size of messages.
Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end. I see attachments over 5MB as tantamount to DOS attacks. A company I worked for used to have a policy of unlimited sized attachments, until lusers started attaching 500MB files.
5. Notification. When you own the server and new mail comes in you have have the server forward the mail to multiple places, or run scripts to notify you on a pager, via telephone, etc.
Have you heard of fetchmail?
6. Reliability. At least with My ISP, my mail server has a higher availability than theirs. Because of the load on the server from SPAM, it goes down fairly regularly and is frequently backlogged. Sure this is just poor admin on their part, but with my own server it doesn't affect me.
I'd quickly find a new ISP if this was the case. I know that my ISP's mail server certainly has higher availability than any PC in my house - although that is mainly because blackouts are more frequent here than in most places, and because ISDN is the best connection available here. However, if your ISP has less than 99% availability on their mailservers, there is something very wrong.
Dangerous twaddle (Score:5, Insightful)
If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.
Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.
Re:Off by default (Score:5, Insightful)
Many (most?) MTAs now support the STARTTLS SMTP command. Set up your own mail server, create a self-signed certificate, and a remarkable fraction of your email will be automatically encrypted during the transfer. Even much of my incoming spam is encrypted in this way. Since it comes from all over the world, this actually serves as a useful mask for anyone doing traffic analysis.
Your ISP could still intercept your mail with a man-in-the-middle attack, but that's far less likely than browsing your mail files on their server.
Well, mail server unreliability is a problem with many ISPs. Even though my ISP's server works most of the time, I still can't log in and run "mailq". I do that regularly with my own server, and I depend on it.
While I personally avoid sending large attachments, I can't reasonably object when it's done between consenting parties. So I don't see this as a valid argument against personal mail servers, but rather a strong argument in favor since the ISP's mail admin doesn't have to be a consenting party.
Do you really want it to poll every minute? When you run your own mail server, you don't have to decide between overhead and quick notification of incoming email. Maybe you don't see the need to be notified of new email that quickly, but what right do you have to impose your personal preferences on others?
The bottom line is that I feel very strongly that there are many perfectly valid reasons for individuals to run their own mail servers, and no ISP should deny them this right as long as they don't bother anyone else, e.g., by sending spam.
This isn't just about the right to run personal email servers. It's about something much more important and fundamental: preserving and protecting the end-to-end model that made the Internet such a success. If we permit ISPs to encroach on the end-to-end principle for what may appear to the naive person to be "worthy" reasons, it won't end until it becomes almost impossible to innovate with new and useful end-to-end services.
Re:Off by default (Score:4, Insightful)
I did exactly that. My mailserver works better for my purposes than that of any ISP I have ever used. I found what works best for me and implemented it. Who are you to say that my solution of running my own mailserver is wrong?
All those other reasons you lumped together as "specious excuses" are valid reasons. An ISP typically has hundreds, thousands, or even tens of thousands of users. They have massive mail servers that are designed to provide service to those vast quntities of users. My mail server is used by only a very few people (4). It is a lot more suitable for my needs than my ISP's server is.
Yeah right... (Score:3, Insightful)
Re:A better idea... (Score:5, Insightful)
We had a password checker for our users (when I was at an ISP) that prevented stupid user dictionary attacks back in 1994/1995. A little user hassle at that bottleneck prevents a world of hurt later on.