I set up the PPTP tunnel a few months ago and it was great! But unfortunately I've been having problems lately. Most recently as of yesterday my SMTP server is blocked with a src port of 25... Previously I noticed outgoing mail was blocked, which is understandable, but now my server receives SMTP and I see it in my router with the reply, but it doesn't get out to the internet. So incoming SMTP no longer works. Anyone else notice this? I wish outgoing SMTP was allowed too, maybe a relay using your he.net login?
Also the tunnel goes down erratically. My outside IP is static, and I even disabled the firewall, but it still goes down (and comes back immediately), sometimes every minute or sometimes it's up for hours.
PPTP to he.net goes down/up on my Win7 laptop at my girlfriend's house too, so I think it's something with the he.net server.
I use the tunnel to get another static IP, maybe not the intended use. ;D I know it's free and beta and I'm not complaining! Thanks a lot guys.
Alas, 25 actually had to be locked down both ways, or there are some ways to effectively get around the outgoing block if your upstreams don't do certain checks. We originally didn't lock down the inbound, but people starting doing those tricks, and getting space blacklisted, so it had to go as well.
As to outgoing alternatives, most providers should have a server on 587/tcp (msa), since that's been spec for a while now. It's meant for client submission and requires authentication. Let's 25/tcp switch over to a server-server role and permits people to drop 25 at their client edges. I'm also not aware of any plans to add in mail relay service to the PPTP services at this time.
As to tunnel bounciness... send what information you have (username, times, etc.) to ipv6@he.net, and we can look at it more.
I can appreciate the need to keep your network secure and that this is a free (useful!) service, but I wish there had been an e-mail notification about that change prior to it happening. Idiot spammers ruining it for us all... ::)
Quote from: cheatv6 on July 30, 2010, 08:57:42 AM
Idiot spammers ruining it for us all... ::)
Ditto !
And BTW, maybe it's asking too much effort, let's ask anyway : instead of shutting down 25 entirely for everybody, couldn't HE monitor the abuser(s) and cancel
their tunnels and accounts only, while maintaining full internet service to honest users, since everything is authorisation based anyway ?
Quote from: Ninho on July 30, 2010, 11:03:36 AM
And BTW, maybe it's asking too much effort, let's ask anyway : instead of shutting down 25 entirely for everybody, couldn't HE monitor the abuser(s) and cancel their tunnels and accounts only, while maintaining full internet service to honest users, since everything is authorisation based anyway ?
Unfortunately they'd be back in minutes from a new IP/email/etc. on a new account. We haven't perfected a way of revoking someone's ability to be a jerk on the internet, alas.
Does your port 25 block apply to all tunnels, or only PPTP tunnels?
I aks because my tunnel is to my colocated box - basically, I am my own ISP.
Thanks for your fast reply!
Maybe those accounts with Sage status will have port 25 unblocked. ;) And perhaps limit to 20 outgoing emails a day or something. :-*
I'll gather up my PPTP logs and send them along to you guys in a bit.
IPv6 tunnels allow port 25; at least they used to. :P Without this only people with native v6 can do v6 email.
Quote from: snarked on July 30, 2010, 11:13:19 AM
Does your port 25 block apply to all tunnels, or only PPTP tunnels?
Just the v4 PPTP side. The v6 email world so far doesn't seem to be as well embraced in the world of the spammers, so we haven't had to deal with things over there yet. Blocking it there would also make it really tough for many people to get up to Sage. :D
Quote from: rpress on July 30, 2010, 11:15:41 AM
Thanks for your fast reply!
Maybe those accounts with Sage status will have port 25 unblocked. ;)
This would be nice, but probably more manual effort than HE is willing to invest in a free service. Considering Sages have gone through several tests, have confirmed e-mail addresses, and likely have an actual postal address on file, it'd be a bit of a stretch for a spammer to get that far.
Don't get me wrong, I'm grateful for the service. Ironically, I liked the tunnel for, among other things, inbound SMTP because it improves the spam filtering on my test/dev mail setup.
QuoteThe v6 email world so far doesn't seem to be as well embraced in the world of the spammers,....
Although not regularly, I have received spam via IPv6, and even a TLS'ed SMTP session. I find that the transport has nothing to do with content. If every mail server supported IPv6, I bet we'd be seeing the
same level of spam via IPv6 as IPv4.
Thank you for the reply.
Quote from: snarked on July 30, 2010, 09:26:22 PM
QuoteThe v6 email world so far doesn't seem to be as well embraced in the world of the spammers,....
Although not regularly, I have received spam via IPv6, and even a TLS'ed SMTP session. I find that the transport has nothing to do with content. If every mail server supported IPv6, I bet we'd be seeing the same level of spam via IPv6 as IPv4.
Thank you for the reply.
I know they know about it, and as you noted TLS (they also use DKIM, SPF, etc.). They know all the tricks to trigger things which lower spam scores, but right now v6 isn't too high on their radar unless the source has v6 connectivity along with the destination. At some point we'll likely have to put in some measures to stem any problems on broker accounts, but so far we haven't had any real issues. *knock on wood*
Quote from: kcochran on July 30, 2010, 11:07:07 AM
Quote from: Ninho on July 30, 2010, 11:03:36 AM
And BTW, maybe it's asking too much effort, let's ask anyway : instead of shutting down 25 entirely for everybody, couldn't HE monitor the abuser(s) and cancel their tunnels and accounts only, while maintaining full internet service to honest users, since everything is authorisation based anyway ?
Unfortunately they'd be back in minutes from a new IP/email/etc. on a new account. We haven't perfected a way of revoking someone's ability to be a jerk on the internet, alas.
I think not because of bad people, we can not lead a normal life. We should consider taking some measures to reduce the impact of this kind of thing.
For example, demand for services on this particular user, you can verify the fees charged on each account. This can at least reduce the risk of abuse.
Or listen to your views, take other and better way.
There aren't any "fees" with the free service, nor will there be. The PPTP BETA is designed around NAT penetration primarily to allow users to bring up their IPv6 tunnel with no additional software installed. We've already had to deal with the spammers, and also the users who decided to torrent pirated works on their PPTP IP resulting in DMCA takedown notices and terminating their accounts. It is a free service and will have some restrictions along the way to protect itself from abuses.
I'm thinking why not filter everything on the PPTP except protocol41 after all the point of the broker is supposed to be getting people onto IPv6, but that is a personal opinion on the PPTP service.
We need to open network ports, in order to prevent abuse, the need for the user, may voluntarily choose value-added services. For example, the collection launched a symbolic fee of $ 1 USD.
Quote from: liuxyon on August 03, 2010, 02:23:51 AM
We need to open network ports, in order to prevent abuse, the need for the user, may voluntarily choose value-added services. For example, the collection launched a symbolic fee of $ 1 USD.
If you want to purchase some kind of service, you should email sales@he.net
Quote from: broquea on August 02, 2010, 01:24:39 PMI'm thinking why not filter everything on the PPTP except protocol41 after all the point of the broker is supposed to be getting people onto IPv6, but that is a personal opinion on the PPTP service.
Sounds like this is the way it's going anyway so I'll move on and see what else I can come up with for my servers.
At home I'm using the tunnel for prot 41 only. I noticed that "VPN is Tunnel Endpoint" stopped working - mine was checked but the v6 tunnel was not working. I unticked the box and put my PPTP IP in as the endpoint and the tunnel started working immediately.
Quote from: broquea on August 03, 2010, 08:27:07 AM
Quote from: liuxyon on August 03, 2010, 02:23:51 AM
We need to open network ports, in order to prevent abuse, the need for the user, may voluntarily choose value-added services. For example, the collection launched a symbolic fee of $ 1 USD.
If you want to purchase some kind of service, you should email sales@he.net
ok. I will try for it..
Interestingly, the first time I saw spam from ipv6 network. :P
Return-Path: juan_mao@xuite.net
Delivered-To: webmaster@xiaoyu.net
Received: from mail.maderacomputerlab.net ([2002:47c3:b39e:0:216c:8af:29bf:b66e])
by mail.v6.xiaoyu.net
; Sat, 24 Jul 2010 20:01:51 +0800
Received: from 71.195.179.158 (212.26.60.100) by
MCSERVER.maderacomputerlab.local (192.168.1.202) with Microsoft SMTP Server
id 14.0.639.21; Sat, 24 Jul 2010 04:25:04 -0700
Received: from 140.132.42.92 by 212.26.60.100; Sat, 31 Jul 2010 07:32:44 -0400
Message-ID: <ZQZSLFAIULHJOFFIWZTYDL@xuite.net>
Good to know zombie-ware is dual-stacked.
No idea what this has to do with PPTP issues though ;)
Quote from: liuxyon on August 14, 2010, 12:39:02 PM
Quote from: broquea on August 03, 2010, 08:27:07 AM
Quote from: liuxyon on August 03, 2010, 02:23:51 AM
We need to open network ports, in order to prevent abuse, the need for the user, may voluntarily choose value-added services. For example, the collection launched a symbolic fee of $ 1 USD.
If you want to purchase some kind of service, you should email sales@he.net
ok. I will try for it..
I have send mail to sales@he.net. waiting for reply.
Quote from: broquea on August 14, 2010, 12:48:55 PM
Good to know zombie-ware is dual-stacked.
No idea what this has to do with PPTP issues though ;)
Now relatively rare. I do not know where he comes from to send it. But from the spam letter of view, perhaps from Hong Kong or Taiwan.