Reverse Firewalls As An Anti-Spam Tool

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

And who will control what to control?

[jrockway]

Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?

This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.

Re:And who will control what to control?

[dhakbar]

Force?

You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?

Re:And who will control what to control?

Did you actually read anything?

He says reverse firewalls should be embedded in every cable modem and wireless access point for home users.

He certainly does think it would be a good idea to require a reverse firewall before connecting to the internet.

Idea becomes discussion ... discussion becomes policy ... policy becomes law. And Dhakbar says "Why, O!, why did this happen?"

Re:And who will control what to control?

[Capt'n+Hector]

Put away that tin foil hat. Would you say the same thing about normal firewalls? After all, normal firewalls don't allow traffic from Bittorrent, most online games, etc etc etc without configuration. So.... "Who will control what defines an attack?" The answer is, as always, you.

Re:And who will control what to control?

[bhima]

Sorry I can't help myself....

Can it it be configured to block port 1984?

Re:And who will control what to control?

[hoferbr]

IMHO, I think you're missing the point. The article states that the reverse-firewall would block traffic from specific ports that used the computer as, quoting the article, "a group of "zombie" machines hijacked to distribute huge amounts of fraudulent e-mail or launch denial-of-service attacks without being traced directly."
If you want access to a blocked port, i'm shure that you could easily open it. But this is not about "computer experts" or something like that, this reverse firewall aims the average computer user. They are the ones whose computers are beeing used as spam spreaders by someone else.

A better idea...

[SixDimensionalArray]

Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?

Re:A better idea...

[KillerCow]

I have to agree with this. SMTP was designed when all of the machines involved were trusted. That isn't the case anymore. Since a design assumption has been fundamentally broken, it needs to be redesigned.

We shouldn't be grafting band-aids and restricting the network model to fix a single broken protocol. SMTP is the problem. Fix it and leave everything else alone. You wouldn't propose mucking around with TCP because any other application layer protocol was broken.

Re:A better idea...

[PetoskeyGuy]

Enhanced SMTP better known as ESMTP is not hypothetical. It's out there, it works, mail clients know about it. It's optional and most ISP's I've used don't have strong authentication. They could, but choose not to. Search Google for Ehanced SMTP or you'll find an ESMTP mail server.

It seems your proposing the same argument the article does. Basically security needs to be enabled by default. The internet is no longer a place where you can trust. They are suggesting a hardware fix, your suggesting software.

Either way it will most likely require some pretty big players like AOL or Microsoft to implement it before it would achieve critical mass. Designing a different way of doing things isn't hard, it's getting everyone else to agree to it and use it.

AOL started implementing SPF to stop spam. If AOL/MSN/Yahoo all decide to stop accepting mail that doesn't come form SPF using sites, adoption should happen in about a fortnight.

Re:A better idea...

[Jahf]

That's your fault for not implementing a checking algorithm when the users are changing their passwords.

We had a password checker for our users (when I was at an ISP) that prevented stupid user dictionary attacks back in 1994/1995. A little user hassle at that bottleneck prevents a world of hurt later on.

Off by default

[Kris_J]

Where my mother works, they're all allowed to have VPN access (I know this because I'm getting ADSL so she won't be dialling in directly anymore), but it's not on by default, you have to make a request to turn it on.

Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.

You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.

Re:Off by default

[ottothecow]

Yes

He is right.

ISP's should block port 25, that is a definate yes at this point in time. But, when a user wants port 25, they should be able to ask and recieve.

Your average cable/DSL user is probobly still using their free yahoo or hotmail account to check email. Maybe they made an ISP account now that POP3/SMTP is offered, but they probobly have no need for an external mailserver.

The next guy up--the one who wants the mailserver--is either someone who knows enough about the internet and can deal with the attacks on their system, or some corporate exec who is told that he needs to do this to check his email. They could have a little quiz about security and if you do well, you get port 25, if you dont do well you can either take a little online class or maybe just buy a NAT box (maybe with a reverse firewall).

Re:Off by default

[gerardrj]

There are several very good reasons to use your own email server instead of your ISPs:

1. You can use any domain name(s) you want so you don't every have to change your address as you change ISPs.

2. Your ISP (or anyone else) can't read your mail while it's sitting on your own server. They can read it when it sitting on their server.

3. SPAM prevention. when you run your own server you can alias your account as many times as you wish, and are able to add/delete aliases instantly and at will. When you give a unique address to each entity. If you get spam on an address, you delete it and create a new one.

4. No limits on message content or size. Many ISPs limit the size of attachments. Granted, SMTP is not meant as a file transfer protocol, but that's not a reason to arbitrarily limit the size of messages.

5. Notification. When you own the server and new mail comes in you have have the server forward the mail to multiple places, or run scripts to notify you on a pager, via telephone, etc.

6. Reliability. At least with My ISP, my mail server has a higher availability than theirs. Because of the load on the server from SPAM, it goes down fairly regularly and is frequently backlogged. Sure this is just poor admin on their part, but with my own server it doesn't affect me.

Re:Off by default

[Ryan+Amos]

The days of the ISP as a "carrier" are long gone. They were over pretty much as soon as broadband hit the market. ISPs these days handle such massive amounts of bandwidth with such ignorant users that they have somewhat of a responsibility to the rest of the internet (not to mention their bottom line) to make sure that bandwidth isn't being used for nefarious purposes by hackers or viruses which have taken over the computers of these ignorant users. 99% of users don't need to and will never run a mail server, DNS server, whatever from their cable modem. All leaving these ports open does is allow the spambots and botnets to spread unabated.

The days of the free, trusted internet are gone. Look at it this way: any competent sysadmin runs a firewall on a box that blocks all incoming ports except those which the admin knows are in use. Doing the same with outgoing traffic is not a bad idea, especially considering that most people whose computers are sending these massive crapfloods have no idea what's going on. We've got to protect the internet from itself or it will render itself practically useless.

Re:Off by default

[Phil+Karn]

If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.

Many (most?) MTAs now support the STARTTLS SMTP command. Set up your own mail server, create a self-signed certificate, and a remarkable fraction of your email will be automatically encrypted during the transfer. Even much of my incoming spam is encrypted in this way. Since it comes from all over the world, this actually serves as a useful mask for anyone doing traffic analysis.

Your ISP could still intercept your mail with a man-in-the-middle attack, but that's far less likely than browsing your mail files on their server.

I'd quickly find a new ISP if this was the case.

Well, mail server unreliability is a problem with many ISPs. Even though my ISP's server works most of the time, I still can't log in and run "mailq". I do that regularly with my own server, and I depend on it.

Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end.

While I personally avoid sending large attachments, I can't reasonably object when it's done between consenting parties. So I don't see this as a valid argument against personal mail servers, but rather a strong argument in favor since the ISP's mail admin doesn't have to be a consenting party.

Have you heard of fetchmail?

Do you really want it to poll every minute? When you run your own mail server, you don't have to decide between overhead and quick notification of incoming email. Maybe you don't see the need to be notified of new email that quickly, but what right do you have to impose your personal preferences on others?

The bottom line is that I feel very strongly that there are many perfectly valid reasons for individuals to run their own mail servers, and no ISP should deny them this right as long as they don't bother anyone else, e.g., by sending spam.

This isn't just about the right to run personal email servers. It's about something much more important and fundamental: preserving and protecting the end-to-end model that made the Internet such a success. If we permit ISPs to encroach on the end-to-end principle for what may appear to the naive person to be "worthy" reasons, it won't end until it becomes almost impossible to innovate with new and useful end-to-end services.

Re:Off by default

[egburr]

My best advice if you don't like your ISP's servers is find one that works better.

I did exactly that. My mailserver works better for my purposes than that of any ISP I have ever used. I found what works best for me and implemented it. Who are you to say that my solution of running my own mailserver is wrong?

All those other reasons you lumped together as "specious excuses" are valid reasons. An ISP typically has hundreds, thousands, or even tens of thousands of users. They have massive mail servers that are designed to provide service to those vast quntities of users. My mail server is used by only a very few people (4). It is a lot more suitable for my needs than my ISP's server is.

Oh yeah, router manufacturers will buy this...

[cleverhandle]

I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?

The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?

Re:Oh yeah, router manufacturers will buy this...

[comet_11]

For the love of jesus, I hate any slashdot article relating to viruses. I have to read through comment after comment using the accursed "virii".

"Virii" is, and let me put this gently, not a goddamn word. I say this not just for your sake, but in the hope that at least a hundredth of the people operating under this painful warping of the english language. Read this, I beg you, and stop making me - and anyone who knows the word - cringe.

Re:Wouldn't software firewalls do this as well...

[Mistlefoot]

Absolutely.

I'm not sure this is an option that the average windows user (and almost anyone sending out spam on their virus laden pc uses windows) would find simple.

Working as a support tech and dealing with mainly connectivity issues, I've learned that the number one issue blocking users from desirable online actities or access itself is a firewall. It used to be that the first troubleshooting step was to check the connections. Now it's become, check for firewalls.

I'm not sure the average windows user would find this a simple solution.

Reverse firewalls?

[afay]

First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.

The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.

It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.

Re:Not just for spam!

[DAldredge]

For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...

Great Reverse Firewall for Mac OS X

[toupsie]

If you have got a Mac, there is a program called "Little Snitch" that is an excellent reverse firewall. While I am not worried as much about my Mac becoming a part of a botnet, it is amazing to see how often my installed software packages want to "phone home". I have even caught third party web advertisers wanting to open ports outside of 80 and 443.

A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.

reverse firewall? what?

[rritterson]

Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.

All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.

So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.

He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.

Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).

Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit

Re:reverse firewall? what?

[mdfst13]

"He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop."

They are generating the SMTP connections. Once a virus is on a computer, it can communicate out to its source via common ports, like http's port 80. It doesn't need to use a blockable port (although ports like the NetBIOS port should be blocked to avoid trojans). Anti-virus is a client side solution, and clearly, relying on clients does not work. Plus, there is a lag time between a virus being introduced and the AV software catching it.

I'm not sure that the cable modem is the place to make these blocks either. I would think that they could be more sensibly made at the network router/switch.

Virus could disable software firewall

[erice]

The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.

Re:This isn't normal behavior?

[Reverant]

It's normal, but it's also very annoying having to click yes/no everytime a process wants to create an outgoing connection. What the author suggests, is a hardware-based firewall (ie one that can't be switched off by a new generation virus - the current ones will terminate for instance any antivirus software they find running), that limits how many emails you can send per minute or hour.

Re:This isn't normal behavior?

[Christopher+Cashell]

Even for LAN firewalls, this is, or should be, normal behavior.

I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.

Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.

Come on, guys. Let's all do our part to stop spam. Every little bit helps.

ZoneAlarmPro

[v1x]

ZoneAlarmPro is best known for its ability to block to control outgoing traffic. However, lesser known is its ability to control outgoing email, by specifying which applications can send email, along with how many emails are sent at once before an alarm is raised about possible virus/worm, and the offending application is frozen by ZoneAlarm until the user intervenes & allows it permission to do so. So, the functionality of the reverse firewall to reduce spam that the author is asking for is already available.

Re:Obligitory form-letter post

[Artega+VH]

Did you select from that "form" randomly or did you want to actually make an insighful point?

(x) Users of email will not put up with it
Actually if implemented properly (allowing people to configure it) people WILL put up with it..

(x) Requires immediate total cooperation from everybody at once
No. Every user that gets one of these things helps.

(x) Lack of centrally controlling authority for email
Huh?

(x) Open relays in foreign countries
No. Every user that gets this helps.

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
I think this is practical. Just like a regular firewall is practical. (Might as well make this thing a proper full blown hardware firewall)

(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
Pardon?

(x) This is a stupid idea, and you're a stupid company for suggesting it.
Yes - very amusing. We're all laughing at your stupidity.

This is not a fix-all solution. But it's a simple solution that would help to alleviate some of the spam problem.

Re:This isn't normal behavior?

[obeythefist]

Couple of relevant things:

Windows XP SP2 will include a reverse firewall that is enabled by default. Unfortunately it will be released, for compatibility reasons, after Duke Nukem Forever.

Principle Scientist for Verisign? The same company with the terrorists/geniuses (what's in a name?) who decided to hijack the DNS system and send it to a search portal that pays them money each time it gets used? Thanks a lot. I'll take advice from a great company like that.

I dunno, chief.

[mcco7614]

I just think it's funny that VeriSign's "chief scientist" said we should use "reverse firewalls" ... I'll foil his plans by installing a reverse router with dual reverse Ethernet switches between my hosts and my cable modem. And I'll connect it all using my reverse CAT6 cables. This way, by the time a packet arrives at the reverse firewall it will already have been reversed...in which case...uhhh...it will be re-reversed and forwarded normally. Yup.

I'm gonna go to reverse sleep now.

Dangerous twaddle

[cardpuncher]

Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.

If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.

Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.

Re:Dangerous twaddle

[mks113]

Yep, it is getting more widespread too.

I've run a redhat/dsl box in my basement for four years. Until 6 months ago I had real internet access. Then they blocked outgoing SMTP. I'm running several mailing lists -- High school alumni with about 60 or so people per list. One in particular can get quite active. I also send out newsletters regarding an upcoming event to 100 people or so.

Reworking exim to use the ISP's SMTP server wasn't a problem, until they actually started counting outgoing emails and disabled my account for a day due to >300 emails/hour.

I figured it was time to move from my "grey" basement server to a commercial host. I was amazed at the price for what I wanted -- $8/month or less! I signed up and had things working in a few hours.

It took a few days before problems really started to appear. Lots of people didn't appear to be getting email from the lists. More research showed that, in fact, although they advertised mailman lists, they still limited outgoing emails to ~60/hour or less.

Two months later, I'm still with them. Looking around I've found that just about everyone puts those same anti-spam limits on ougoing email. Not having limits labels a provider as being "spam friendly", and I am the one suffering. The best I could find without limits was $35/month, which is steeper than I would like.

"We have met the enemy, and he is us!"

Michael

Just to be pedantic

[fishbot]

but a firewall is a piece of software which allows or denies packets based on their properties; it cares not in which direction they are flowing.

A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.

New???

[really?]

Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.

Re:This isn't normal behavior?

[geminidomino]

Eh, when I stopped accepting direct-to-mx mail from dynamic IP addresses, I had exactly 1 legitimate mail get blocked in the first six months, and that was because the sender forgot he'd been playing with Mercury.

Compared to the 900+ viruses/spams/worms that get 550'd every month, I'd call that acceptable.

Personal firewall setup

[smittyman]

yeah just like all the other "personal firewalls".

I believe there is a future for this afterall:

"welcome to the setup of your personal firewall. To install some personal settings please anwswer the following questions:

- Do you click on banners.
Yes / no / Banners?

- Do you use floppies and CD's provided by your idiot neighbour.
Yes / no / also from my uncle
- Is your default webpage www.msn.com.
Yes / no / Banners?
- You have created a personal webpage about your hobbies.
Yes / no / with my cat
- Running Outlook and Outlook express.
Yes / no / I like it
- Paid for more space on the hotmail account.
Yes / no
- You made friends with a Gorrila.
Yes / no / I like him because he is purple
- Do you trust company popups that trie installing software.
Yes / no / They are here to help me run the internet arent they?

Thank you for filling out these questions, your personal setting will now be choosen. While we are doing that please fill in as many square boxes below as possible and a few email adresses from YOU and your friends so we can GIVE you information for FREE......

Setting found, If one of the questions above was not no your personal firewall will be put in the L-User setting, dis-engaging internet connection now, thank you, go read a book or play solitaire........still here? the setting was permanent, shoo, SHOO, rebooting now......

Standard practice at companies?

[atcurtis]

I set up a firewall at a medium-sized company and the only machine which was allowed to connect to some remote machine on port 25 was the mail server. In a similar vein, the transparent proxy was deliberately set up to break LookOut Express HotMail over HTTP.

Simple things like that, default to deny for both inbound and outbound, virus checking on the mail server: they all greatly reduce the risk of these Windows plagues.

And I thought it was all pretty much standard practice.

I personally think that individuals should take more responsibility for their equipment. It's not really the ISP's business to put in firewalls - perhaps if the users were to pay for the additional service, then the ISP can provide... The individual can always put in a firewall themselves which would only allow port 25 connection to their ISP's mailserver.

Perhaps - a "manditory" additional fee for a firewall for those who do not have an operational firewall?

Just thinking aloud....

Re:This isn't normal behavior?

[13Echo]

It is strange that people working for free, I am talking open source here, do not produce something that is useful for home users. All the OSS firewalls I have looked out require you to have a good to expert knowledge (depending on firewall) of networking in order to effectivly use them. They all seem to be just creating replacements for professional products rather than somehting that is useable by the average Joe.

You mean, like Firestarter?

http://firestarter.sourceforge.net/

It doesn't require any knowledge to configure the firewall.