• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

PPTP problems

Started by rpress, July 30, 2010, 08:15:29 AM

Previous topic - Next topic

rpress

I set up the PPTP tunnel a few months ago and it was great!  But unfortunately I've been having problems lately.  Most recently as of yesterday my SMTP server is blocked with a src port of 25...  Previously I noticed outgoing mail was blocked, which is understandable, but now my server receives SMTP and I see it in my router with the reply, but it doesn't get out to the internet.  So incoming SMTP no longer works.  Anyone else notice this?  I wish outgoing SMTP was allowed too, maybe a relay using your he.net login?

Also the tunnel goes down erratically.  My outside IP is static, and I even disabled the firewall, but it still goes down (and comes back immediately), sometimes every minute or sometimes it's up for hours.

PPTP to he.net goes down/up on my Win7 laptop at my girlfriend's house too, so I think it's something with the he.net server.

I use the tunnel to get another static IP, maybe not the intended use. ;D  I know it's free and beta and I'm not complaining!  Thanks a lot guys.

kcochran

Alas, 25 actually had to be locked down both ways, or there are some ways to effectively get around the outgoing block if your upstreams don't do certain checks.  We originally didn't lock down the inbound, but people starting doing those tricks, and getting space blacklisted, so it had to go as well.

As to outgoing alternatives, most providers should have a server on 587/tcp (msa), since that's been spec for a while now.  It's meant for client submission and requires authentication.  Let's 25/tcp switch over to a server-server role and permits people to drop 25 at their client edges.  I'm also not aware of any plans to add in mail relay service to the PPTP services at this time.

As to tunnel bounciness... send what information you have (username, times, etc.) to ipv6@he.net, and we can look at it more.

cheatv6

I can appreciate the need to keep your network secure and that this is a free (useful!) service, but I wish there had been an e-mail notification about that change prior to it happening.  Idiot spammers ruining it for us all...  ::)
My username is after my cat, "The Cheat."  I'm not cheating IPv6. :)

Ninho

Quote from: cheatv6 on July 30, 2010, 08:57:42 AM
  Idiot spammers ruining it for us all...  ::)

Ditto !

And BTW, maybe it's asking too much effort, let's ask anyway : instead of shutting down 25 entirely for everybody, couldn't HE monitor the abuser(s) and cancel their tunnels and accounts only, while maintaining full internet service to honest users, since everything is authorisation based anyway ?


kcochran

Quote from: Ninho on July 30, 2010, 11:03:36 AM
And BTW, maybe it's asking too much effort, let's ask anyway : instead of shutting down 25 entirely for everybody, couldn't HE monitor the abuser(s) and cancel their tunnels and accounts only, while maintaining full internet service to honest users, since everything is authorisation based anyway ?

Unfortunately they'd be back in minutes from a new IP/email/etc. on a new account.  We haven't perfected a way of revoking someone's ability to be a jerk on the internet, alas.

snarked

#5
Does your port 25 block apply to all tunnels, or only PPTP tunnels?

I aks because my tunnel is to my colocated box - basically, I am my own ISP.

rpress

Thanks for your fast reply!

Maybe those accounts with Sage status will have port 25 unblocked.   ;)  And perhaps limit to 20 outgoing emails a day or something.  :-*

I'll gather up my PPTP logs and send them along to you guys in a bit.


IPv6 tunnels allow port 25; at least they used to.  :P  Without this only people with native v6 can do v6 email.

kcochran

Quote from: snarked on July 30, 2010, 11:13:19 AM
Does your port 25 block apply to all tunnels, or only PPTP tunnels?

Just the v4 PPTP side.  The v6 email world so far doesn't seem to be as well embraced in the world of the spammers, so we haven't had to deal with things over there yet.  Blocking it there would also make it really tough for many people to get up to Sage.  :D

cheatv6

Quote from: rpress on July 30, 2010, 11:15:41 AM
Thanks for your fast reply!

Maybe those accounts with Sage status will have port 25 unblocked.   ;)

This would be nice, but probably more manual effort than HE is willing to invest in a free service.  Considering Sages have gone through several tests, have confirmed e-mail addresses, and likely have an actual postal address on file, it'd be a bit of a stretch for a spammer to get that far.

Don't get me wrong, I'm grateful for the service.  Ironically, I liked the tunnel for, among other things, inbound SMTP because it improves the spam filtering on my test/dev mail setup.
My username is after my cat, "The Cheat."  I'm not cheating IPv6. :)

snarked

QuoteThe v6 email world so far doesn't seem to be as well embraced in the world of the spammers,....
Although not regularly, I have received spam via IPv6, and even a TLS'ed SMTP session.  I find that the transport has nothing to do with content.  If every mail server supported IPv6, I bet we'd be seeing the same level of spam via IPv6 as IPv4.

Thank you for the reply.

kcochran

Quote from: snarked on July 30, 2010, 09:26:22 PM
QuoteThe v6 email world so far doesn't seem to be as well embraced in the world of the spammers,....
Although not regularly, I have received spam via IPv6, and even a TLS'ed SMTP session.  I find that the transport has nothing to do with content.  If every mail server supported IPv6, I bet we'd be seeing the same level of spam via IPv6 as IPv4.

Thank you for the reply.

I know they know about it, and as you noted TLS (they also use DKIM, SPF, etc.).  They know all the tricks to trigger things which lower spam scores, but right now v6 isn't too high on their radar unless the source has v6 connectivity along with the destination.  At some point we'll likely have to put in some measures to stem any problems on broker accounts, but so far we haven't had any real issues. *knock on wood*

liuxyon

Quote from: kcochran on July 30, 2010, 11:07:07 AM
Quote from: Ninho on July 30, 2010, 11:03:36 AM
And BTW, maybe it's asking too much effort, let's ask anyway : instead of shutting down 25 entirely for everybody, couldn't HE monitor the abuser(s) and cancel their tunnels and accounts only, while maintaining full internet service to honest users, since everything is authorisation based anyway ?

Unfortunately they'd be back in minutes from a new IP/email/etc. on a new account.  We haven't perfected a way of revoking someone's ability to be a jerk on the internet, alas.

I think not because of bad people, we can not lead a normal life. We should consider taking some measures to reduce the impact of this kind of thing.

For example, demand for services on this particular user, you can verify the fees charged on each account. This can at least reduce the risk of abuse.

Or listen to your views, take other and better way.
<a href="http://ipv6.he.net/certification/scoresheet.php?pass_name=liuxyon" target="_blank"><img src="http://ipv6.he.net/certification/create_badge.php?pass_name=liuxyon&amp;badge=3" style="border: 0; width: 229px; height: 137px" alt="IPv6 Certification Badge for liuxyon"></img></a>

broquea

There aren't any "fees" with the free service, nor will there be. The PPTP BETA is designed around NAT penetration primarily to allow users to bring up their IPv6 tunnel with no additional software installed. We've already had to deal with the spammers, and also the users who decided to torrent pirated works on their PPTP IP resulting in DMCA takedown notices and terminating their accounts. It is a free service and will have some restrictions along the way to protect itself from abuses.

I'm thinking why not filter everything on the PPTP except protocol41 after all the point of the broker is supposed to be getting people onto IPv6, but that is a personal opinion on the PPTP service.

liuxyon

We need to open network ports, in order to prevent abuse, the need for the user, may voluntarily choose value-added services. For example, the collection launched a symbolic fee of $ 1 USD.   
<a href="http://ipv6.he.net/certification/scoresheet.php?pass_name=liuxyon" target="_blank"><img src="http://ipv6.he.net/certification/create_badge.php?pass_name=liuxyon&amp;badge=3" style="border: 0; width: 229px; height: 137px" alt="IPv6 Certification Badge for liuxyon"></img></a>

broquea

Quote from: liuxyon on August 03, 2010, 02:23:51 AM
We need to open network ports, in order to prevent abuse, the need for the user, may voluntarily choose value-added services. For example, the collection launched a symbolic fee of $ 1 USD.   

If you want to purchase some kind of service, you should email sales@he.net