Reverse Firewalls As An Anti-Spam Tool

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

This isn't normal behavior?

I have Kerio Personal Firewall on my Windows machine and it prompts me about every outgoing connection (to learn it, or allow it, or block it).

Re:This isn't normal behavior?

[Reverant]

It's normal, but it's also very annoying having to click yes/no everytime a process wants to create an outgoing connection. What the author suggests, is a hardware-based firewall (ie one that can't be switched off by a new generation virus - the current ones will terminate for instance any antivirus software they find running), that limits how many emails you can send per minute or hour.

Re:This isn't normal behavior?

[luferbu]

Kerio Personal Firewall does, when the MD5 change it prompts the user to confirm or reject even an already created permanent rule.

Re:This isn't normal behavior?

[walt-sjc]

Blocking outbound port25 from dynamics is good. Clients that need to use alternative mail servers can use the submission port (587).

On the mail server front, while many smaller sites send mail from MX listed servers, this isn't always true at larger sites (such as most ISP's) as they use different sending servers than receiving servers. This is what SPF, domainkeys, etc are supposed to take care of. Until they are universally adopted, blocking based on those DNS records (or lack thereof) will not be effective.

Re:This isn't normal behavior?

[13Echo]

It is strange that people working for free, I am talking open source here, do not produce something that is useful for home users. All the OSS firewalls I have looked out require you to have a good to expert knowledge (depending on firewall) of networking in order to effectivly use them. They all seem to be just creating replacements for professional products rather than somehting that is useable by the average Joe.

You mean, like Firestarter?

http://firestarter.sourceforge.net/

It doesn't require any knowledge to configure the firewall.

Re:This isn't normal behavior?

[adric]

Take a look at Shorewall. Much easier to setup (IMHO) than using the raw iptables commands, and works quite well in my experience.

Great Reverse Firewall for Mac OS X

[toupsie]

If you have got a Mac, there is a program called "Little Snitch" that is an excellent reverse firewall. While I am not worried as much about my Mac becoming a part of a botnet, it is amazing to see how often my installed software packages want to "phone home". I have even caught third party web advertisers wanting to open ports outside of 80 and 443.

A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.

Re:Great Reverse Firewall for Mac OS X

[gblues]

Your software isn't necessarily "phoning home." It's probably trying to do something mundane, like print. In fact, if you do something stupid like block all network access, you'll kill your ability to print!

As long as you make sure requests to "localhost" are allowed, you should be OK. :)

Nathan

Re:And who will control what to control?

[Capt'n+Hector]

Put away that tin foil hat. Would you say the same thing about normal firewalls? After all, normal firewalls don't allow traffic from Bittorrent, most online games, etc etc etc without configuration. So.... "Who will control what defines an attack?" The answer is, as always, you.

Re:reverse firewall? what?

[hiekka]

Hear, hear!

Outbound firewall is still firewall, not "reverse firewall" or "anti firewall" or ... It's firewall. Actually we should call inbound-only firewalls half-firewalls to distinguish from real firewalls.

Re:Oh yeah, router manufacturers will buy this...

[comet_11]

For the love of jesus, I hate any slashdot article relating to viruses. I have to read through comment after comment using the accursed "virii".

"Virii" is, and let me put this gently, not a goddamn word. I say this not just for your sake, but in the hope that at least a hundredth of the people operating under this painful warping of the english language. Read this, I beg you, and stop making me - and anyone who knows the word - cringe.

Re:Not just for spam!

No. See. There's a difference.

On those routers, it provides functionality. It allows software the ability to portmap itself to allow functionality as a server. For P2P, for instance, that's a boon.

On a firewall specifically designed to block outgoing attacks, that it a worthless function. It would, however, allow malicious programs free access, making it worthless.

If you can't see the difference, you're hopeless.

Re:And who will control what to control?

[AuMatar]

Except they're discussing an external firewall in the cable modem. The ISP would control that. So you'd be stuck with RoadRunner's (Comacast, etc) definition

Re:A better idea...

[PetoskeyGuy]

Enhanced SMTP better known as ESMTP is not hypothetical. It's out there, it works, mail clients know about it. It's optional and most ISP's I've used don't have strong authentication. They could, but choose not to. Search Google for Ehanced SMTP or you'll find an ESMTP mail server.

It seems your proposing the same argument the article does. Basically security needs to be enabled by default. The internet is no longer a place where you can trust. They are suggesting a hardware fix, your suggesting software.

Either way it will most likely require some pretty big players like AOL or Microsoft to implement it before it would achieve critical mass. Designing a different way of doing things isn't hard, it's getting everyone else to agree to it and use it.

AOL started implementing SPF to stop spam. If AOL/MSN/Yahoo all decide to stop accepting mail that doesn't come form SPF using sites, adoption should happen in about a fortnight.

Re:Obligitory form-letter post

[Artega+VH]

Did you select from that "form" randomly or did you want to actually make an insighful point?

(x) Users of email will not put up with it
Actually if implemented properly (allowing people to configure it) people WILL put up with it..

(x) Requires immediate total cooperation from everybody at once
No. Every user that gets one of these things helps.

(x) Lack of centrally controlling authority for email
Huh?

(x) Open relays in foreign countries
No. Every user that gets this helps.

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
I think this is practical. Just like a regular firewall is practical. (Might as well make this thing a proper full blown hardware firewall)

(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
Pardon?

(x) This is a stupid idea, and you're a stupid company for suggesting it.
Yes - very amusing. We're all laughing at your stupidity.

This is not a fix-all solution. But it's a simple solution that would help to alleviate some of the spam problem.

Just to be pedantic

[fishbot]

but a firewall is a piece of software which allows or denies packets based on their properties; it cares not in which direction they are flowing.

A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.

Re:Just to be pedantic

[pandrijeczko]

Mod parent up!

I thought this exact same thing also... I have no experiences with commercial firewalling software but have used ipchains/iptables within Linux also.

ipchains/iptables simply treat each packet as one of three types:

1. Incoming (from a specific network interface)

2. Outgoing (to a specific network interface)

3. Forwarding (incoming from one network interface and outgoing to another = "routing")

The way you build rules for each packet type is identical so you never have the concept of just "protecting me from the outside world", more "should this packet from point A be allowed to get to point B" where point A or point B can be the local host or a distant one.

I'm afraid it's all about marketing (again!) - "buy our firewalling software because you are the good guy that needs protecting from the bad guys on the Internet" without any mention of the fact that you might actually be the bad guy, albeit unknowingly.

Re:Incorrect analysis.

[samjam]

I stand corrected, yes, your analysis is correct in regard to the abandonment of SMTP recommendation.

Sam

Re:And who will control what to control?

[Secrity]

Port 1984 is registered by IANA to an actual product named "Big Brother".

bb 1984/tcp BB
bb 1984/udp BB

Re:Dangerous twaddle

[mks113]

Yep, it is getting more widespread too.

I've run a redhat/dsl box in my basement for four years. Until 6 months ago I had real internet access. Then they blocked outgoing SMTP. I'm running several mailing lists -- High school alumni with about 60 or so people per list. One in particular can get quite active. I also send out newsletters regarding an upcoming event to 100 people or so.

Reworking exim to use the ISP's SMTP server wasn't a problem, until they actually started counting outgoing emails and disabled my account for a day due to >300 emails/hour.

I figured it was time to move from my "grey" basement server to a commercial host. I was amazed at the price for what I wanted -- $8/month or less! I signed up and had things working in a few hours.

It took a few days before problems really started to appear. Lots of people didn't appear to be getting email from the lists. More research showed that, in fact, although they advertised mailman lists, they still limited outgoing emails to ~60/hour or less.

Two months later, I'm still with them. Looking around I've found that just about everyone puts those same anti-spam limits on ougoing email. Not having limits labels a provider as being "spam friendly", and I am the one suffering. The best I could find without limits was $35/month, which is steeper than I would like.

"We have met the enemy, and he is us!"

Michael

It's Called ZoneAlarm

And I've been using it for years.

Great for stopping those pesky programs that like to "phone home to mother" without your permission.

Re:Software firewalls already do this.

[Maserati]

If a trojan infects an application, then ZoneAlarm notes that the MD5 hash has changed and it asks you again if you want to allow that application access. If you haven't done anything to change it, then block access and investigate.