[geeks] @home has finally done it...

Greg A. Woods geeks at sunhelp.org
Sun Aug 19 12:48:14 CDT 2001 

[ On Sunday, August 19, 2001 at 13:13:20 (-0400), Kurt Huhn wrote: ]
> Subject: [geeks] @home has finally done it...
>
> It wasn't bad enough that they blocked all incoming HTTP traffic, but now
> they've blocked all incoming SMTP traffic.  Firewall logs show it happened
> at about 3:50pm yesterday afternoon - that's the last message I got from
> Geeks yesterday.
> 
> Interesting notes:
> They claim it is to block the code red virus.   This makes no sense - Code
> Red rarely goes outside it's own class A, their attempts will be futile.
> I'm still seeing a Metric Buttload of default.ida requests from 65.x and
> 24.x hosts.  What SMTP traffic has to do with code red - I don't know.  My
> suspicion is that it's an excuse to impose fascist rule...

Actually it's to block with the zillions of idiots who've been setting
up port-25 forwarders and pointing them at the @Home mailers.  Since
they're explicitly allowed to make such connections it turns @Home into
an instant wide-open relatively high-bandwidth open relay.

It's actually not a fascist rule -- it's a necessary evil given the
consequences of SMTP open relay abuse.

They're just telling you "code red" because that's something the average
luser might know about.  They don't care how clued you actually are.

> Level two techs should never hang up on Kurt Huhn - I have nothing better to
> do at 12:30am than to call back and speak to your supervisor.

Thank you!  Can you do it again for me too!  ;-)

> I can still send OUTGOING MAIL from my IP.  Wouldn't that be a real problem
> with bandwidth hogging?

Blocking out-bound SMTP connections would pretty much cause their
support departments to either be assasinated or to commit suicide on
their own accord....  It's also not something their current contracts
could ever require.

The real problem is that @Home is getting beaten over the head by
complaints of open relays caused by the port forwarders I described
above.

The small cable ISP I do work for was hit by the very same problem
(though the customer claimed innocence and said their IT consultant set
it up that way -- they were a paying SOHO though, not just a home user,
so that's probably true, sad but true).  We were listed in the ORDB RBL
before we could blink twice (but luckily we were able to firewall the
idiot customer and get out of the ORDB before too many legit e-mails
were blocked).

We are also going to block all inbound SMTP connections to all but
authorised SMTP hosts, and we're going to block relay on our mail
servers from all authorised SMTP hosts (to prevent accidentally becoming
a multi-stage relay again).  Hopefully they're going to charge a fee for
authorising any SMTP hosts too -- otherwise it's going to cost them more
than they'll profit!  ;-)

> Incoming DNS is still operational.  So I can still manage my domains.

Yup, but you're not being very smart if you run any nameserver delegated
to by any public NS record on an @Home address (@Work might be different,
but I doubt it).  You are, literally, asking for trouble.  Don't do that.

> All other ports are unblocked - and that would seem to be the real bandwith
> problem.  Doesn't a half-life server use up a shitload more bandwidth than
> my *primarily recieve* SMTP server?

You're violating your contract in the first place.  You've no right to
complain about this particular issue.  You may even lose your service
before you're ready to switch to something more appropriate for your
needs.

> NETBIOS IS STILL ACTIVE!  Netbios broadcast storms are the real culprit
> here - ever see a Passport switch brought to it's knees by NetBios?  Since
> @home decided to bind DHCP to NetBios, bandwidth has never been worse...

Yes, they are hypocrites to a certain degree.

But bandwidth really isn't the primary issue -- it's just a ruse because
it's now something the half-clued public might recognize as an issue, so
they use it as leverage and as an expectation management tool....

> They actually get pissed when I say that I have a firewall and use Linux as
> my primary OS.
> @home: "We don't support that sir."
> Kurt: "I'm not asking you too - I manage just fine by myself."
> @home: "Well we can't troubleshoot your connection without a supported OS."
> Kurt: "Listen greenhorn - I just told you what the problem is.  Don't you
> think you should know what the issue is, before some jerk like me calls at
> 11:00pm and tells you what's wrong with the @home network?!"
> @home: <click>

I know what you mean!  :-)  Been there, done that, and I'm still pissed
at them too.

But I'm not running any services on my @Home IP#....

> I am sooooo pissed.  I just spent the morning reconfiguring a server at work
> to operate as my mail server - I had to unsubscribe from the lists in the
> meantime.  I'd just ike to take this oportunity to thank @home - for
> NOTHING!

You brought that part of the problem on yourself.  Didn't you read the
contract and the attached regulations?

I'll bet you many DSL providers have similar rules.  You'll either have
to buckle down and use your home connection as a client only, or pay for
the kind of service you really want.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list