Reverse Firewalls As An Anti-Spam Tool

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

And who will control what to control?

[jrockway]

Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?

This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.

Re:And who will control what to control?

[dhakbar]

Force?

You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?

Re:And who will control what to control?

Did you actually read anything?

He says reverse firewalls should be embedded in every cable modem and wireless access point for home users.

He certainly does think it would be a good idea to require a reverse firewall before connecting to the internet.

Idea becomes discussion ... discussion becomes policy ... policy becomes law. And Dhakbar says "Why, O!, why did this happen?"

Re:And who will control what to control?

[hoferbr]

IMHO, I think you're missing the point. The article states that the reverse-firewall would block traffic from specific ports that used the computer as, quoting the article, "a group of "zombie" machines hijacked to distribute huge amounts of fraudulent e-mail or launch denial-of-service attacks without being traced directly."
If you want access to a blocked port, i'm shure that you could easily open it. But this is not about "computer experts" or something like that, this reverse firewall aims the average computer user. They are the ones whose computers are beeing used as spam spreaders by someone else.

A better idea...

[SixDimensionalArray]

Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?

Re:A better idea...

[KillerCow]

I have to agree with this. SMTP was designed when all of the machines involved were trusted. That isn't the case anymore. Since a design assumption has been fundamentally broken, it needs to be redesigned.

We shouldn't be grafting band-aids and restricting the network model to fix a single broken protocol. SMTP is the problem. Fix it and leave everything else alone. You wouldn't propose mucking around with TCP because any other application layer protocol was broken.

Re:A better idea...

[Jahf]

That's your fault for not implementing a checking algorithm when the users are changing their passwords.

We had a password checker for our users (when I was at an ISP) that prevented stupid user dictionary attacks back in 1994/1995. A little user hassle at that bottleneck prevents a world of hurt later on.

Re:Wouldn't software firewalls do this as well...

[Mistlefoot]

Absolutely.

I'm not sure this is an option that the average windows user (and almost anyone sending out spam on their virus laden pc uses windows) would find simple.

Working as a support tech and dealing with mainly connectivity issues, I've learned that the number one issue blocking users from desirable online actities or access itself is a firewall. It used to be that the first troubleshooting step was to check the connections. Now it's become, check for firewalls.

I'm not sure the average windows user would find this a simple solution.

Reverse firewalls?

[afay]

First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.

The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.

It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.

Re:Not just for spam!

[DAldredge]

For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...

Re:Off by default

[gerardrj]

There are several very good reasons to use your own email server instead of your ISPs:

1. You can use any domain name(s) you want so you don't every have to change your address as you change ISPs.

2. Your ISP (or anyone else) can't read your mail while it's sitting on your own server. They can read it when it sitting on their server.

3. SPAM prevention. when you run your own server you can alias your account as many times as you wish, and are able to add/delete aliases instantly and at will. When you give a unique address to each entity. If you get spam on an address, you delete it and create a new one.

4. No limits on message content or size. Many ISPs limit the size of attachments. Granted, SMTP is not meant as a file transfer protocol, but that's not a reason to arbitrarily limit the size of messages.

5. Notification. When you own the server and new mail comes in you have have the server forward the mail to multiple places, or run scripts to notify you on a pager, via telephone, etc.

6. Reliability. At least with My ISP, my mail server has a higher availability than theirs. Because of the load on the server from SPAM, it goes down fairly regularly and is frequently backlogged. Sure this is just poor admin on their part, but with my own server it doesn't affect me.

Re:This isn't normal behavior?

[Christopher+Cashell]

Even for LAN firewalls, this is, or should be, normal behavior.

I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.

Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.

Come on, guys. Let's all do our part to stop spam. Every little bit helps.

ZoneAlarmPro

[v1x]

ZoneAlarmPro is best known for its ability to block to control outgoing traffic. However, lesser known is its ability to control outgoing email, by specifying which applications can send email, along with how many emails are sent at once before an alarm is raised about possible virus/worm, and the offending application is frozen by ZoneAlarm until the user intervenes & allows it permission to do so. So, the functionality of the reverse firewall to reduce spam that the author is asking for is already available.

Dangerous twaddle

[cardpuncher]

Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.

If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.

Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.

Re:Off by default

[Phil+Karn]

If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.

Many (most?) MTAs now support the STARTTLS SMTP command. Set up your own mail server, create a self-signed certificate, and a remarkable fraction of your email will be automatically encrypted during the transfer. Even much of my incoming spam is encrypted in this way. Since it comes from all over the world, this actually serves as a useful mask for anyone doing traffic analysis.

Your ISP could still intercept your mail with a man-in-the-middle attack, but that's far less likely than browsing your mail files on their server.

I'd quickly find a new ISP if this was the case.

Well, mail server unreliability is a problem with many ISPs. Even though my ISP's server works most of the time, I still can't log in and run "mailq". I do that regularly with my own server, and I depend on it.

Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end.

While I personally avoid sending large attachments, I can't reasonably object when it's done between consenting parties. So I don't see this as a valid argument against personal mail servers, but rather a strong argument in favor since the ISP's mail admin doesn't have to be a consenting party.

Have you heard of fetchmail?

Do you really want it to poll every minute? When you run your own mail server, you don't have to decide between overhead and quick notification of incoming email. Maybe you don't see the need to be notified of new email that quickly, but what right do you have to impose your personal preferences on others?

The bottom line is that I feel very strongly that there are many perfectly valid reasons for individuals to run their own mail servers, and no ISP should deny them this right as long as they don't bother anyone else, e.g., by sending spam.

This isn't just about the right to run personal email servers. It's about something much more important and fundamental: preserving and protecting the end-to-end model that made the Internet such a success. If we permit ISPs to encroach on the end-to-end principle for what may appear to the naive person to be "worthy" reasons, it won't end until it becomes almost impossible to innovate with new and useful end-to-end services.

Re:Off by default

[egburr]

My best advice if you don't like your ISP's servers is find one that works better.

I did exactly that. My mailserver works better for my purposes than that of any ISP I have ever used. I found what works best for me and implemented it. Who are you to say that my solution of running my own mailserver is wrong?

All those other reasons you lumped together as "specious excuses" are valid reasons. An ISP typically has hundreds, thousands, or even tens of thousands of users. They have massive mail servers that are designed to provide service to those vast quntities of users. My mail server is used by only a very few people (4). It is a lot more suitable for my needs than my ISP's server is.