Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reverse Firewalls As An Anti-Spam Tool

Posted by timothy on from the to-each-his-own dept.

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

5 of 513 comments (clear)

  1. A better idea... by SixDimensionalArray · · Score: 5, Insightful

    Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

    But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?

  2. Re:And who will control what to control? by dhakbar · · Score: 5, Insightful

    Force?

    You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?

  3. Re:This isn't normal behavior? by Christopher+Cashell · · Score: 5, Insightful

    Even for LAN firewalls, this is, or should be, normal behavior.

    I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.

    Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

    If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.

    Come on, guys. Let's all do our part to stop spam. Every little bit helps.

    --
    Topher
  4. Dangerous twaddle by cardpuncher · · Score: 5, Insightful

    Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.

    If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.

    Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.

  5. Re:Off by default by Phil+Karn · · Score: 5, Insightful
    If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.

    Many (most?) MTAs now support the STARTTLS SMTP command. Set up your own mail server, create a self-signed certificate, and a remarkable fraction of your email will be automatically encrypted during the transfer. Even much of my incoming spam is encrypted in this way. Since it comes from all over the world, this actually serves as a useful mask for anyone doing traffic analysis.

    Your ISP could still intercept your mail with a man-in-the-middle attack, but that's far less likely than browsing your mail files on their server.

    I'd quickly find a new ISP if this was the case.

    Well, mail server unreliability is a problem with many ISPs. Even though my ISP's server works most of the time, I still can't log in and run "mailq". I do that regularly with my own server, and I depend on it.

    Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end.

    While I personally avoid sending large attachments, I can't reasonably object when it's done between consenting parties. So I don't see this as a valid argument against personal mail servers, but rather a strong argument in favor since the ISP's mail admin doesn't have to be a consenting party.

    Have you heard of fetchmail?

    Do you really want it to poll every minute? When you run your own mail server, you don't have to decide between overhead and quick notification of incoming email. Maybe you don't see the need to be notified of new email that quickly, but what right do you have to impose your personal preferences on others?

    The bottom line is that I feel very strongly that there are many perfectly valid reasons for individuals to run their own mail servers, and no ISP should deny them this right as long as they don't bother anyone else, e.g., by sending spam.

    This isn't just about the right to run personal email servers. It's about something much more important and fundamental: preserving and protecting the end-to-end model that made the Internet such a success. If we permit ISPs to encroach on the end-to-end principle for what may appear to the naive person to be "worthy" reasons, it won't end until it becomes almost impossible to innovate with new and useful end-to-end services.