Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Reverse Firewalls As An Anti-Spam Tool

timothy posted more than 9 years ago | from the to-each-his-own dept.

Spam 513

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


My biznitch is the shiznit... (-1, Offtopic)

dhakbar (783117) | more than 9 years ago | (#9756847)

Yes she is.

Re:My biznitch is the shiznit... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9756860)

dhakbar ... hmmm funny, thought it was dinkbar

This isn't normal behavior? (2, Informative)

Anonymous Coward | more than 9 years ago | (#9756853)

I have Kerio Personal Firewall on my Windows machine and it prompts me about every outgoing connection (to learn it, or allow it, or block it).

Re:This isn't normal behavior? (2, Funny)

Anonymous Coward | more than 9 years ago | (#9756983)

thank you for reminding me how good it is not using windows.

Re:This isn't normal behavior? (3, Informative)

Reverant (581129) | more than 9 years ago | (#9757042)

It's normal, but it's also very annoying having to click yes/no everytime a process wants to create an outgoing connection. What the author suggests, is a hardware-based firewall (ie one that can't be switched off by a new generation virus - the current ones will terminate for instance any antivirus software they find running), that limits how many emails you can send per minute or hour.

Re:This isn't normal behavior? (0)

Anonymous Coward | more than 9 years ago | (#9757103)

The software can "learn" what you want allowed and what you want blocked. It's easier than going into your iptables script and specifying the outbound you want.

Wouldn't software firewalls do this as well... (1)

mobiux (118006) | more than 9 years ago | (#9756855)

since they monitor traffic going in and out of the PC.

Re:Wouldn't software firewalls do this as well... (3, Insightful)

Mistlefoot (636417) | more than 9 years ago | (#9756901)


I'm not sure this is an option that the average windows user (and almost anyone sending out spam on their virus laden pc uses windows) would find simple.

Working as a support tech and dealing with mainly connectivity issues, I've learned that the number one issue blocking users from desirable online actities or access itself is a firewall. It used to be that the first troubleshooting step was to check the connections. Now it's become, check for firewalls.

I'm not sure the average windows user would find this a simple solution.

Re:Wouldn't software firewalls do this as well... (1)

MMaestro (585010) | more than 9 years ago | (#9756962)

True, but ultimately the problem comes back to the millions of Joe Averages out there with broadband connections and cheap yet overpowerful computer system any geek will tell you they just plain don't need. There are people who still send out and forward chain letters (not to mention open up suspicious, no-doubt-virus-ridden, e-mails) which already adds to the problem of spam messages. What are the chances of these Joe Averages collectively thinking 'hey, maybe I should stop leaving my computer on 24/7 and ask tech support why my computer always seems to slow down whenever I surf the net.'

Re:Wouldn't software firewalls do this as well... (2, Insightful)

halowolf (692775) | more than 9 years ago | (#9757063)

This is a good point, because for Joe Average they maybe able to use their computers, but they certainly do not understand how they work. And to keep a computer running well, you need to understand how they work, or have someone close to them that knows how they work to maintain them. When it comes to firewalls and such, a more advanced computing topic, its hard enough for Joe Average understand why its desirable to have one let alone how to configure one effectivly to protect them on the internet.

I know there are products like ZoneAlarm and such to try and make it easier for non technical users to use them, but Joe Average people will be baffled by them since they don't understand how networks work and everything that goes with that.

There is research into making computers self maintainable and repair themselves and such but its a long way away from making the Joe Average safe to use a computer on the internet. Alot more work needs to go into transparent computer adminstration systems that free Joe Average (and their administrators, family computer lackeys etc) from having to deal with computer problems that could be solved or avoided, with what we would consider common sense.

Re:Wouldn't software firewalls do this as well... (1)

Nogami_Saeko (466595) | more than 9 years ago | (#9756993)

Part of the problem with software firewalls are that if the user has a problem wherein they let a spambot or other virus into their machine, that program could have the ability to disable a software firewall as well.

If it's a hardware firewall, it makes it much more challenging for a hacker-program to be able to disable it to "get out".

Virus could disable software firewall (4, Interesting)

erice (13380) | more than 9 years ago | (#9756996)

The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.

Re:Virus could disable software firewall (1)

Graff (532189) | more than 9 years ago | (#9757108)

The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

Not if the system is set up properly. For example, under Mac OS X the user does not have root privileges by default. Instead the user needs to authenticate himself every time he performs any changes to the root system or anything else outside of his own user account for that matter. This makes it very difficult and much less likely that a virus could get root privileges.

So, sure the virus could infect your own personal account but since the firewall runs under root the virus can't disable it. Yes, you still won't stop the idiots who blindly authenticate anything that pops up but at least this is another barrier to stop the spread of a virus.

Re:Wouldn't software firewalls do this as well... (1)

AndroidCat (229562) | more than 9 years ago | (#9757006)

The problem is isolation. If the malware is running with admin rights, then it can attempt to switch-off/bypass the software firewall on the same machine. Apparently some malware tries to do this now.

Another problem is that apps on Windows can piggyback on IE's permissions for HTTP connections.

Re:Wouldn't software firewalls do this as well... (2, Interesting)

perlchild (582235) | more than 9 years ago | (#9757055)

*trying not to feed the troll*

The problem is not just to monitor the traffic, but to apply uncircumventable precautions against unallowed behaviour. For a similar, yet a lot tougher solution, my cable provider blocks a port(port 80 right now) at the Cable Broadband Router level(the other side of my connection) and similarly, a DSL provider could do the same at the DSLAM level. That most providers don't do this is that

1) it increases the per-user cpu cost at the edge of their network
2) it increases the support calls(as not a single one of them has had the balls(yet) to my knowledge to announce it in public fora(and they are similarly afraid to announce it to their users, despite that it could actually be marketed as a good thing: we protect you from this, so your bills are more likely to stay low)
Putting it on the other side of the demarc is putting provider policy control on the client's side of the link, which is generally a bad idea.

Not just for spam! (1, Insightful)

cloudkj (685320) | more than 9 years ago | (#9756861)

Works for virii and worms as well! When the router detects abnormal amounts of outbound traffic, it can either cap it, block it, or alert the user. This would work wonders!

Re:Not just for spam! (1)

afidel (530433) | more than 9 years ago | (#9756917)

The problem is that unlike traditional NAT'ing firewalls where everything not part of an existing TCP/IP conversation can be thrown to the bit bucket there is no such simple rule for a reverse firewall. So you get into heuristics and signatures, which have to be constantly updated and which give a LOT more false positives than a simple NAT box, ask anyone who has worked with intrusion detection systems. Not only that but since updates have to be done constantly to screen for new threats there is an ongoing cost, and so companies will of course want to charge an ongoing fee, so instead of a cheap Linksys box just costing $50-100 it will cost that much AND have a monthly maintenance fee. I personally wouldn't want such a device for the same reason I don't own a Tivo, I hate perpetual revenue streams that add little value over what I can get with fixed function device. Now I personally would LOVE this for my business customers, I already utilize Sonicwall's with integrated virus enforcement, blocking machines with unusual usage paterns would be nice so long as the false positive rate were sufficiently low.

Re:Not just for spam! (3, Insightful)

DAldredge (2353) | more than 9 years ago | (#9756929)

For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...

Re:Not just for spam! (0)

Anonymous Coward | more than 9 years ago | (#9757048)

Um. I highly doubt a reverse firewall would be UPnP enabled.

It wouldn't add functionality. It would add a glaring security flaw. Let me think about that.

Re:Not just for spam! (1)

DAldredge (2353) | more than 9 years ago | (#9757073)

Please check and see what % of currently shipping sub 100 USD firewalls/NAT devices are UPNP enabled. You might be shocked.

Re:Not just for spam! (1, Informative)

Anonymous Coward | more than 9 years ago | (#9757117)

No. See. There's a difference.

On those routers, it provides functionality. It allows software the ability to portmap itself to allow functionality as a server. For P2P, for instance, that's a boon.

On a firewall specifically designed to block outgoing attacks, that it a worthless function. It would, however, allow malicious programs free access, making it worthless.

If you can't see the difference, you're hopeless.

Re:Not just for spam! (1)

flyneye (84093) | more than 9 years ago | (#9757013)

until of course a cablemodem (or whatever the llawerif is embedded in)is reverse engineered and a hack found and described for the world to see.even if most couldnt do the hack,some would.
this is more nonsense.
software will always be hackable.(after all its just commands to harness the hardware)
hardware will always be hackable(it would take a meta man to create hardware unhackable by man)
GTF over any notion that computers on networks will EVER be secure.Gawd if you could just show legislators that simple logic we could quit wasting valuable tax dollars in this country.
we make machines to work for us.
we have to talk to the machines in a language they understand.
The language can conduct nice business with the comp.
The language can conduct nastiness.
we make machines that block nastiness.
we move this circuit.shunt.rewire.reprogram the cmos or in the case of nvidia just move this resistor from here-> * to here ->* and save a buncha mon$y.
so in reply:no it wont stop virii and worms as well.

GNAA (-1, Troll)

ansiterminal (798748) | more than 9 years ago | (#9756863)

--GNAA-- Brian About GNAA: GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS. Are you GAY? Are you a NIGGER? Are you a GAY NIGGER? If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for! Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member. GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today! Why not? It's quick and easy - only 3 simple steps! * First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it. (You can download the movie (~280mb) using BitTorrent, by clicking here. * Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website * Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership. Talk to one of the ops or any of the other members in the channel to sign up today! If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is Niggernet, and you can connect to irc.gnaa.us as our official server. If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here. If you have mod points and would like to support GNAA, please moderate this post up. .________________________________________________. fucking | ______________________________________._a,____ | CmdrTaco | _______a_._______a_______aj#0s_____aWY!400.___ | will | __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | he ever learn that | _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA is totally | _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | unstoppable? Teamed | ________"#,___*@`__-N#____`___-!^_____________ | up with the other troll groups, | _________#1__________?________________________ | GNAA will absolutely own | _________j1___________________________________ | the shitty place that is slashdot. | ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Just remember, the longer the lines are, | ____!4yaa#l___________________________________ | the smaller CmdrTaco's penis. | ______-"!^____________________________________ | This logo is (C) 2003, 2004 GNAA ` _______________________________________________'

It would just create problems... (0)

flamechocobo (792168) | more than 9 years ago | (#9756864)

Having a firewall required would hinder gaming efforts by making it harder to connect to servers.

Re:It would just create problems... (1)

cloudkj (685320) | more than 9 years ago | (#9756888)

Obviously, the firewall would be configurable. The important distinction is the default setting, since most users won't touch (or don't even know about) the settings on their router. By blocking excessive outbound traffic by default, this would catch TONS of traffic from unsuspecting users.

Good Idea (1)

Compuser (14899) | more than 9 years ago | (#9756870)

So long as I can edit firewall settings I would
support mandatory default reverse firewalls for
any equipment that so much as touches IP.

And who will control what to control? (3, Insightful)

jrockway (229604) | more than 9 years ago | (#9756879)

Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?

This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.

Re:And who will control what to control? (5, Insightful)

dhakbar (783117) | more than 9 years ago | (#9756903)


You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?

Re:And who will control what to control? (3, Insightful)

Anonymous Coward | more than 9 years ago | (#9756994)

Did you actually read anything?

He says reverse firewalls should be embedded in every cable modem and wireless access point for home users.

He certainly does think it would be a good idea to require a reverse firewall before connecting to the internet.

Idea becomes discussion ... discussion becomes policy ... policy becomes law. And Dhakbar says "Why, O!, why did this happen?"

Re:And who will control what to control? (0, Troll)

black mariah (654971) | more than 9 years ago | (#9756928)

Look, fucking idiot, do you even know how a fucking firewall works? You select which ports you want to allow traffic on, then all others are stopped. IT IS USER CONFIGURABLE YOU FUCKING IMBECILE.

Re:And who will control what to control? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9756959)

Outbreak of mental illness: Anger problem.

Re:And who will control what to control? (2, Insightful)

Donny Smith (567043) | more than 9 years ago | (#9757056)

> Outbreak of mental illness: Anger problem

No, that is the right response to a dumb ass comment. If someone doesn't understand something, that's fine - it probably can be learned - but the assertive attitude combined with utmost stupidity and ignorance goes on most people nerves.

The only "problem" is that he cares and can't take it any more. In the old times most comments (and stories) used to be fairly intelligent. In case you haven't noticed, it's been getting real bad - now about 20% of content is useful/informative/worthwile and 80% is indistinguishable from any other forum.

Re:And who will control what to control? (1, Interesting)

Anonymous Coward | more than 9 years ago | (#9757008)

Go uncap a cable modem. Oh wait in some cases a hard thing to do. Also against your Terms of Service. What is to stop manufactures from hindering the users ability to configure this reverse firewall in a similar manner. What is to stop your provider from doing the same for your and the providers network and other customers protection?

It comes down to this, if they cannot trust the users computers, why should they trust them to configure a reverse firewall?

What if you only have one choice of broadband provider?

Personally I think the best place for activation of such things is at NOC level not user level and on a case by case basis.

Re:And who will control what to control? (1)

black mariah (654971) | more than 9 years ago | (#9757071)

Having broadband isn't a right. When you use any network, you are bound by their terms of service wheter you like them or not. Don't like them? Then don't use that ISP. Don't have another broadband provider? Tough shit. Either quit your bitching or stay on dialup. Be sure to tell the ISP why you didn't choose them though. They love to hear about lost business due to their own stupidity.

Re:And who will control what to control? (4, Funny)

bhima (46039) | more than 9 years ago | (#9757023)

Sorry I can't help myself....

Can it it be configured to block port 1984?

Re:And who will control what to control? (4, Informative)

Capt'n Hector (650760) | more than 9 years ago | (#9756997)

Put away that tin foil hat. Would you say the same thing about normal firewalls? After all, normal firewalls don't allow traffic from Bittorrent, most online games, etc etc etc without configuration. So.... "Who will control what defines an attack?" The answer is, as always, you.

A better idea... (5, Insightful)

SixDimensionalArray (604334) | more than 9 years ago | (#9756886)

Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?

Re:A better idea... (1)

Donny Smith (567043) | more than 9 years ago | (#9757072)

>Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.)

SQUID proxy + AntiVirus software?

Off by default (4, Interesting)

Kris_J (10111) | more than 9 years ago | (#9756887)

Where my mother works, they're all allowed to have VPN access (I know this because I'm getting ADSL so she won't be dialling in directly anymore), but it's not on by default, you have to make a request to turn it on.

Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.

You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.

Re:Off by default (4, Interesting)

ottothecow (600101) | more than 9 years ago | (#9757016)


He is right.

ISP's should block port 25, that is a definate yes at this point in time. But, when a user wants port 25, they should be able to ask and recieve.

Your average cable/DSL user is probobly still using their free yahoo or hotmail account to check email. Maybe they made an ISP account now that POP3/SMTP is offered, but they probobly have no need for an external mailserver.

The next guy up--the one who wants the mailserver--is either someone who knows enough about the internet and can deal with the attacks on their system, or some corporate exec who is told that he needs to do this to check his email. They could have a little quiz about security and if you do well, you get port 25, if you dont do well you can either take a little online class or maybe just buy a NAT box (maybe with a reverse firewall).

Re:Off by default (0)

techno-vampire (666512) | more than 9 years ago | (#9757107)

You don't need port 25 to check your email; POP3 is 110. My ISP blocks all outgoing port 25 connections but doesn't insist (unlike some idiotic ISP's) that the return address be at their domain. I have an alternate address at the domain of a private club I'm a member of. I can check that email just fine, but when I send mail on that address it goes through my ISP's SMTP server. Unless you're either a spammer, a control freak or a hobbyist that really wants to learn how to run a mail server there's no real reason to run your own.

Re:Off by default (1)

hellfire (86129) | more than 9 years ago | (#9757027)

It would also have an impact on my own personal email system. I have comcast as my ISP now, but I don't use comcast's email. I have a website, and through that I accept email. Because I have my own domain, I don't have to worry about changing my email ever again and everyone can get in touch with me. Fortunately my site comes with a decent spam blocker as well.

And finally, I gain access to that email site via the mail program on my mac. I do this to integrate with my address book, which also integrates with my Treo 270. Everything works nice and neat and I get loads of features and things just work. It would take to look to go into major detail but because of my setup, which has lots of conveniences for me and its what I want, blocking access to my website's email from my connection would royally screw things up.

And I don't host spam lists or anything like that. I should be allowed to access any email server I want thank you. It's the spam servers which have to be localized and taken out.

Are they user proof? (1)

Jailbrekr (73837) | more than 9 years ago | (#9756889)

How can you make a reverse firewall as easy to set up as a normal consumer firewall? Is technology advanced and automated enough where this reverse firewall can detect when a user is sending email via port 25 to his or hers ISPs SMTP server? Can a reverse firewall tell the difference between spam being sent out, and someone emailing his entire family with good news about his daughters report card?

A better solution is for ISPs to block port 25 for all consumer connections, and only allow port 25 traffic to their own SMTP servers. Why put the onus on the consumers, when it is the ISPs who seem to be failing us?

Re:Are they user proof? (1)

eingram (633624) | more than 9 years ago | (#9756930)

Can a reverse firewall tell the difference between spam being sent out, and someone emailing his entire family with good news about his daughters report card?

Sure. Setup a basic word filter to look for "enlarge" and "penis." Stop all e-mail that matches. ;)

Re:Are they user proof? (2, Insightful)

black mariah (654971) | more than 9 years ago | (#9756965)

Why put the onus on the consumers, when it is the ISPs who seem to be failing us?
Because the users are the ones that have the "FREE PORN NOW" software on their computer that creates all that spam in the first place. Always look towards user stupidity for your first answers.

Re:Are they user proof? (1)

Nekkrist (709729) | more than 9 years ago | (#9757043)

A better solution is for ISPs to block port 25 for all consumer connections, and only allow port 25 traffic to their own SMTP servers. Why put the onus on the consumers, when it is the ISPs who seem to be failing us?

The problem with this is that those of us who use a mail account from work, school, and our home ISP may want to send mail from each of these accounts. An ISP blocking our school and work SMTP servers would be a pain.

Re:Are they user proof? (0)

Anonymous Coward | more than 9 years ago | (#9757075)

There are plenty of sender authentication protocols already available, so you can use any mail server from anywhere, securely, as long as you have the credentials to authenticate.

And, these already existing technology (AuthTLS, etc) operate on ports other than 25, so they aren't shut down.

All residential and small business connections, at least, should have this restriction (port 25 blocked), and ISP's mail servers should have some reasonable limit on the amount of emails sent per day (say 100 per day outgoing).

Oh yeah, router manufacturers will buy this... (4, Interesting)

cleverhandle (698917) | more than 9 years ago | (#9756891)

I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?

The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?

Re:Oh yeah, router manufacturers will buy this... (0)

Anonymous Coward | more than 9 years ago | (#9756974)

viruses are not Microsoft's problem as such. Especially since some of the more successful ones don't do anything that they wouldn't be allowed to do on any other operating system.

Re:Oh yeah, router manufacturers will buy this... (4, Informative)

comet_11 (611321) | more than 9 years ago | (#9757067)

For the love of jesus, I hate any slashdot article relating to viruses. I have to read through comment after comment using the accursed "virii".

"Virii" is, and let me put this gently, not a goddamn word. I say this not just for your sake, but in the hope that at least a hundredth of the people operating under this painful warping of the english language. Read this, I beg you [archive.org] , and stop making me - and anyone who knows the word - cringe.

The Journey of 1,000 miles (2, Insightful)

agentxy (544949) | more than 9 years ago | (#9756913)

Great Idea! New technical concepts and products always excite me. We must keep one thing in mind however, hackers/crackers/spammers/whatever you want to call them are clever and very imaginative people. Single concepts and technologies will be overcome and bypassed. The security/spam fight needs to be a continuous and evolving process. One cannot simply rely on a single product or conceptual model to end malicious actions. When people start realizing that keeping computers secure is a process and NOT a product, the world will be a lot safer and secure.

Ha! Beat you too it! (2, Funny)

physicsphairy (720718) | more than 9 years ago | (#9756915)

I, being the ubergeek that I am, already have a 14k^H^H^H^H "reverse-firewall".

No hackers for me, no siree!

Old hardware (0)

Endareth (684446) | more than 9 years ago | (#9756916)

So spammers either use slightly old hardware without the reverse-firewall, or simply use some of their ill-gotten gains to purchase higher end equipment, same as large companies or ISPs already do, which wouldn't have the reverse-firewall in it. Or even find a cheap hardware manufacturer who is will take simply not include the reverse-firewall in exchange for the spammers buying all their hardware for them.

Re:Old hardware (1)

physicsphairy (720718) | more than 9 years ago | (#9756937)

The idea here is not to stop spammers from using their own equipment, it is to stop them from using other's equipment (i.e. trojaned windows boxes).

Reverse? (0)

Anonymous Coward | more than 9 years ago | (#9756919)

I don't get it, how is this different from a regular firewall? Do they come configured to block everything by default?

If anything, maybe filters that worked on a "if x packets in n time access y port then block" would be a decent idea. Like a lot of IRC scripts do as flood protection.

Why this might be a good idea for this problem (1, Insightful)

Anonymous Coward | more than 9 years ago | (#9756922)

SMTP is limited to one port (25), and most people are simply not sending out hundreds of emails per hour. A simple bit of rate limiting of the outgoing traffic (say 60 emails per hour) wouldn't even be noticed by 99% of home users. The other 1% probably knows what they're doing and could disable it. 60 per hour is plenty for the average person, but a hinderance to a spammer.

ZoneAlarm software firewall already checks... (1)

Futurepower(R) (558542) | more than 9 years ago | (#9756985)

ZoneAlarm software firewall already checks for unreasonable outgoing email, and asks the user if it is okay. ZoneAlarm check time, number of recipients, and attachment reasonability.

Re:Why this might be a good idea for this problem (0)

Anonymous Coward | more than 9 years ago | (#9757092)

I'd love to see a change to the SMTP spec so that the first 100k of any email is severely rate limited on a per connection basis.

So, you send out an email with a 2 MB attachment, everything works as usual, save for the slower first 100k.

You send out 25,000 spams for p3n!s enl@rgment p!ll$ and it takes you an eternity.

Spam would drop off the face of the earth.

Large mass mailing houses would be effected, but they could deal with it. I send out a newsletter to 75,000 subscribers monthly, and this would take several days instead of several hours to complete, but it's no big deal.

Reverse firewalls? (4, Insightful)

afay (301708) | more than 9 years ago | (#9756923)

First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.

The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.

It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.

Re:Reverse firewalls? (1)

FauxReal (653820) | more than 9 years ago | (#9756957)

Well, if it "sounds" different it's patentable isn't it? Someone call my lawyer we got some money to make!

Re:Reverse firewalls? (1)

laing (303349) | more than 9 years ago | (#9756966)

The rate limiting idea is good - but I think the spammers have already developed and deployed a countermeasure to it. The latest trend of having a large, distributed pool of spam bots gets past this safeguard. Each node in the pool can send low-volume spam and still deliver the spammers message very effectively. "There's strength in numbers."

Either way, I don't like the idea of ISP's unilateraly deciding to change the terms of service after service has commenced. I'm in the very small minority of people who run their own mail exchanger.

This space for rent.

Egress firewalls.. (0)

Anonymous Coward | more than 9 years ago | (#9756925)

Wow. "VeriSign's principal scientist" recommends "reverse firewalls". Nice, but I believe the term and thoughts about EGRESS firewalling has been around for a while. Reverse firewalling - Yesh. Get a clue. It wouldn't be that bad of a idea but 1. It won't be turned on by default 2. People won't turn it on 3. People won't get it.

Noooo (2, Interesting)

joey.dale (796383) | more than 9 years ago | (#9756927)

1. What if I where to have a good reason to send loads of e-mail?

2. Whould these firewalls keep logs, and if so, who would have access to them.

3. This sound alot like microsoft Trusted Computing project, bad idea


Re:Noooo (0)

Anonymous Coward | more than 9 years ago | (#9756946)

1. You disable the feature if you know what you're doing (ie running a mail server on purpose).

2. It's your firewall/hardware device, so if there are logs (which there probably aren't), you have control over them.

3. It does?

Am I missing the point here? (1)

multiplexo (27356) | more than 9 years ago | (#9756931)

It seems to me that if you had properly configured firewalls built into all cable modems (at the very least having NAT and some packet inspection) that you could largely avoid the problem of having home PCs recruited into BotNets, turned into Zombies, et al. Also if Windows wasn't so bad from a security standpoint it would be a lot harder to infect/recruit Doze boxes. I keep my systems behind a firewall and keep my patches up to date and I do the same for my parents, so what is a reverse firewall going to do for us? And how long would it be before the hackers and script kiddies figure out how to game the reverse firewall rules and set up new phishing networks?

accursed firewall... (1)

i_will_frag_u_all (792832) | more than 9 years ago | (#9756940)

all mine does is prevent me from playing halo or warcraft... thats pretty mean, blocking the viruses so they stay in your computer!! "great, my computers infested with viruses, and we have to install a whole new operating system, but at least everyone else doesnt have it!!" comon, are you really going to think of that? how very american of them ever think of the fact that we would WANT to send lots of viru-*cough*emails out to the general public? oh, so im not normal now?!?!?!?

Great Reverse Firewall for Mac OS X (4, Informative)

toupsie (88295) | more than 9 years ago | (#9756950)

If you have got a Mac, there is a program called "Little Snitch [obdev.at] " that is an excellent reverse firewall. While I am not worried as much about my Mac becoming a part of a botnet, it is amazing to see how often my installed software packages want to "phone home". I have even caught third party web advertisers wanting to open ports outside of 80 and 443.

A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.

Just do it right first time. (1)

solojony (774539) | more than 9 years ago | (#9756952)

If he means a firewall based on network level and not on content it will fail miserably in providing good service for power users, because the firewall won't be able to react to new traffic trends. Even the NAT can give you headheaches and has been around for a while.
If he means a firewall with content scanning embedded, is certainly a security risk... for the user, I don't trust my router deciding what is right and not right for me thank you.

What is needed here is a protocol for mail exchange designed with spam in mind, not zillions of dumb firewalls fighting their own users.

Stop bloating networks with security fails at top protocolos, some guys should reread OSI stack fundamentals...

Re:Just do it right first time. (1)

skhisma (598808) | more than 9 years ago | (#9756978)

i agree, a new protocol designed to prevent spam is a lot less frightening than the possibility of my router, modem, etc 'thinking different' (ie, exhibiting very palladium-esque features). personally i think we should all be allowed to do what we wish with our hardware, even if that does give spammers the right to spam.

Rate limit regular SMTP (0)

Anonymous Coward | more than 9 years ago | (#9756967)

Regular people need to stop using port 25. It's time for users to switch to 587 or 465 for sending mail to their mail server. If you're running a mail server on purpose, then you can disable the rate limit.

real solution (1)

epyT-R (613989) | more than 9 years ago | (#9756971)

I know, instead of trying to band-aid the problem with a hack that does nothing but weaken the peer to peer concept of the net even more, how about getting microsoft the fix the crux of the problems in the first place?

reverse firewall? what? (5, Interesting)

rritterson (588983) | more than 9 years ago | (#9756972)

Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.

All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.

So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.

He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.

Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).

Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit

Re:reverse firewall? what? (2, Informative)

hiekka (251960) | more than 9 years ago | (#9757015)

Hear, hear!

Outbound firewall is still firewall, not "reverse firewall" or "anti firewall" or ... It's firewall. Actually we should call inbound-only firewalls half-firewalls to distinguish from real firewalls.

I undrestand... (2, Insightful)

altaic (559466) | more than 9 years ago | (#9756976)

that spam is a difficult problem to solve, but that is the most idiotic idea I think I've ever encountered. That's like making it difficult to do encryption to prevent terrorists from communicating safely. Granted, "normal" people's computers are a vessel for spammers, but it's asinine to limit normal people's hardware. Why not fix the problem at the source and work on making consumer's computers secure? The day I find out my DSL modem is blocking ports or something like that is the day I wreck the thing while trying to fix it. I mean, really.

Worried about outgoing Spam? (2, Funny)

lecithin (745575) | more than 9 years ago | (#9756991)

Just Put a Condom on it.

Re:Worried about outgoing Spam? (0)

Anonymous Coward | more than 9 years ago | (#9757050)

that joke is so bad i think you should put a condom on your enter key to prevent any more escaping.

How much will it be useful ? (2, Insightful)

abhinavmodi (737782) | more than 9 years ago | (#9757021)

While it is true that the reverse firewall will stop too much traffic from a "home" computer, there are some aspects of this which raise interesting questions: 1. How much is "too much" ? How is this decided? 2. What abt proxies to circumvent this? 3. The majority of spam, generated is probably not from a home computer. 4. Modern firewalls can be configured for outbound filtering as well. How radically will the propsed scheme be different from this? Correct me if i am wrong in any of the assumptions above. If we are achieving too less while applying too much effort, the low of economy wouldnt justify this.

A DRM by any other name... (1)

noidentity (188756) | more than 9 years ago | (#9757033)

This sounds similar to the reasoning used by the RIAA and others use to conclude that DRM is a good thing. Copyright fair use turns into a permission model. At least in this case the problem is one of real theft of resources.

floods of e-mail (2, Interesting)

weenis (656512) | more than 9 years ago | (#9757035)

speaking of "floods of e-mail," one of the most entertaining things is to take my original copy of win2k without any service packs,
do a fresh install,
plug in without any firewall,
and watch how fast the damn thing tries to send out mass mailings :-)

Simpler (1)

Uhlek (71945) | more than 9 years ago | (#9757062)

ip access-list extended EGRESS_FILTER
permit tcp any eq smtp
deny tcp any any eq smtp
permit ip any any
access-group EGRESS_FILTER out


Re:Simpler (1)

Uhlek (71945) | more than 9 years ago | (#9757079)

Stupid HTML

ip access-list extended EGRESS_FILTER
permit tcp any [smtp svr ip addr] eq smtp
deny tcp any any eq smtp
permit ip any any
interface [whatever]
access-group EGRESS_FILTER out


Re:Simpler (1)

Technician (215283) | more than 9 years ago | (#9757113)

permit tcp any eq smtp
deny tcp any any eq smtp

Is this a registery hack?

Where do you set that up on my WIN XP box. I don't see any button marked permit and deny.

Just kidding. I know it's not for Windows. However most of the compromised zombies are Win boxes. They are the ones needing the limit.

There seem to be alot of misconceptions. (2, Insightful)

Artega VH (739847) | more than 9 years ago | (#9757069)

This would limit the rate of outgoing emails (or presumably anything else) to a limit that most people wouldn't hit in normal use. If implemented this limit would be configurable in the "firewall" so that users who know what they are doing can alter it.

It is different to software "reverse firewalls" such as Zonealarm as it couldn't easily be turned off by viruses and the like. But on the other hand it lets anything through once.

It would be beneficial to prevent the massing hordes of clueless broadband users from being juicy targets to the spammmer - since each zombie could only send out a pathetically tiny number per hour.

Just wait (1)

mboverload (657893) | more than 9 years ago | (#9757090)

Wait till they start embeding "kiddie porn" filters in these things in the name of "protecting kids"

Great, it blocks stuff I don't give a shit about and will block legit sites. Sounds super.

Welcome 1984 (1)

novalogic (697144) | more than 9 years ago | (#9757091)

Wonderful, Just what I need, yet another wing of the cable company telling me what I can and can't do. And just how do you propose monitoring this system? What if I run a mailing list or support group from home, why would I want to pay another $20 to send out 50 emails to poeople, and at what point would this firewall cut me off?

What if a new game comes out which makes a odd form of connection for multi-play. Or perhaps my software dose something thats not viewed as "normal" by Joe Schmoe, M.C.S.E.

And what could I do about it?

Here is the problem.

You have a flood of water 15 foot high coming for your house.

So lets paint the basement with some water-sealant.

There are bigger problems to fix.

Complex things lead to complex problems.

security model (2, Funny)

blazen1 (583950) | more than 9 years ago | (#9757094)

However, the security model in 802.11 may not be enough to prevent an attacker to get access to the intranet.

you're kidding..

The downside of free speech. (1)

_aa_ (63092) | more than 9 years ago | (#9757099)

Obviously this is a practical concept, but I'm hesitant. I personally feel that spam blocking is the burden of the receiver, just by the nature of the email protocol. I hate obtrusive advertising as much as the next guy, but I do recognize it as a form of speech. And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.

I recognize that spam is an inconviniece for end recipients, and a serious waste of resources for networks. Regardless, i feel that a reverse firewall process as described sets a dangerous precedent. Many might concede to blocking mass emails, but would they also concede to blocking of private web servers? Would the blocking of P2P be acceptable?

I've encountered numerous mail servers that are rejecting emails sent from cable modem and DSL users. I think that that is a significantly more responsible solution, even though it may not be as efficient. I feel as a paying customer of my broadband provider, I should not be prevented from emailing whoever I want, in whatever manner I want, though I cannot force any mail server to actually receive my emails.

Been there, done that.... (1)

jclagreca (266053) | more than 9 years ago | (#9757104)

This sounds like a really dumb idea to me (It might be time to shit can their principal scientist) Not only will it be easy to get around after someone figures out how it works, but it sounds like something that should be done more centrally, maybe at the ISP level instead of each individual cable modem.

Actually if this "scientist" did his research he would have found it has already been done by ISP's. Cox.net blocks outgoing port 25 so you are forced to use their email servers. I'm sure they have something in place to prevent an outflow of spam.

ISP's can block whatever they want because all traffic must flow through them. Therefore this is an old idea, that may just need to be implemented in more places.

Reverse Firewalls are already very popular (0)

Anonymous Coward | more than 9 years ago | (#9757105)

..in Japan.

I liked this idea better... (0)

Anonymous Coward | more than 9 years ago | (#9757118)

..when it was called "egress filtering", done at the ISP's hardware.

This guy shouldn't even get the time of day on Slashdot.. what's next:

"To filter spam we should use DNS to publish the IP addresses of spamming hosts. I call this 'DNS-based Naughty Lists' or 'DNSNL'.. no one ever thought of this before.. I AM TEH GEN1US!!!!!!!!!!!!11111111111"
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account