Results 1 to 10 of 10
  1. #1

    Stop outbound spam on an open wireless network

    I'm not sure if this is the right place to be posting this, but at our hotel, we have wireless routers (Linksys) that any of our clients can use to connect their laptops to the internet. We have been getting reports from our ISP that spam has been coming from our external IP address, so I wanted to know what people would recommend as ways to combat either our computers or any of our clients' computers from sending out spam. The internet is connected through a firewall/server computer running linux. I thought about blocking port 25, but I'm sure we would have clients complaining about not being able to send any mail. Any ideas are welcome.

  2. #2
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    302
    That is what I would recommend, is blocking port 25. If they need to send e-mail, they can either use webmail or change their SMTP port to something else. I did the same on a wifi hotspot I set up for a customer who owns a motel.
    I'm pretty sure that's what the corporate chain hotels do as well, though I haven't been to a hotel with wifi in awhile.

  3. #3
    Either that or setup WPA encryption, and whenever customers check in hand them a piece of paper that has the password on it.

    Change the password once a month.

    Most likely the spam being sent is not by customers but by outside people picking the connection up.

  4. #4
    Join Date
    Feb 2008
    Location
    Montreal, QC
    Posts
    18
    I would disagree, for two reasons. One, needing to get encryption keys from the front-desk would be a serious annoyance for the end-user and an administrative overhead for the hotel.

    I do not think spammers are interested in driving around looking for hotspots to send spam, maybe it happens but its not unlikely that the spam is coming from guests laptops that are infested with spyware and virus's.

    I would suspect business users would already be conditioned to port25 being blocked at hotels etc, as mentioned above theres always webmail, vpn's, alternate ports... blocking port25 will solve your spam issue and have the least impact on your customers.

    Quote Originally Posted by arjones85 View Post
    Either that or setup WPA encryption, and whenever customers check in hand them a piece of paper that has the password on it.

    Change the password once a month.

    Most likely the spam being sent is not by customers but by outside people picking the connection up.

  5. #5
    Quote Originally Posted by uptimearchive View Post
    I would disagree, for two reasons. One, needing to get encryption keys from the front-desk would be a serious annoyance for the end-user and an administrative overhead for the hotel.
    Annoyance? They check in, the person asks if they have a laptop and will be getting on the internet. If the customer responds yes they hand them a piece of paper. How annoying could that possibly be? And what overhead? A cost of a slip of paper? You can easily print over 50 keys on a single piece of paper.

    I do not think spammers are interested in driving around looking for hotspots to send spam, maybe it happens but its not unlikely that the spam is coming from guests laptops that are infested with spyware and virus's.

    I would suspect business users would already be conditioned to port25 being blocked at hotels etc, as mentioned above theres always webmail, vpn's, alternate ports... blocking port25 will solve your spam issue and have the least impact on your customers.

    I disagree. And who is to say the hotel isn't next to a residential area? There are plenty of them. I used to live right next to a motel and had free wifi from there for quite a long time. I could have sent millions upon millions of spam emails with very, very little chance of ever being caught or anyone being the wiser. That's fine if there's some business professionals who are used to 25 being blocked and use SSL encryption of something different instead, but closing ports in my opinion is more disruptive than handing out a slip of paper when a customer brings a laptop in.

    Blocking port 25 is fine and dandy, but I really do think using a WPA key is the answer, as it will not only prevent outside intruders from gaining access to your network, but also provide a level of security for your customers so that you don't have any unsavory individuals sniffing passwords on an open network.

  6. #6
    Join Date
    Nov 2005
    Posts
    352
    Quote Originally Posted by arjones85 View Post
    Annoyance? They check in, the person asks if they have a laptop and will be getting on the internet. If the customer responds yes they hand them a piece of paper. How annoying could that possibly be? And what overhead? A cost of a slip of paper? You can easily print over 50 keys on a single piece of paper.
    I think that the administrative overhead would come from trying to walk an end-user through typing in a really long string in their wi-fi settings on their computer. Most users will not know how to set up a new wi-fi connection, set the encryption settings, set the encryption key (good luck trying to find a typo in a 50 character string), etc., not to mention the people that will be calling in after they leave your hotel because the changes you forced them to make have now broken their home or work wi-fi settings. Do you really want to hire a separate tech staff to talk users through this? What if your hotel has 300+ rooms?

    Quote Originally Posted by arjones85 View Post
    I disagree. And who is to say the hotel isn't next to a residential area? There are plenty of them. I used to live right next to a motel and had free wifi from there for quite a long time. I could have sent millions upon millions of spam emails with very, very little chance of ever being caught or anyone being the wiser. That's fine if there's some business professionals who are used to 25 being blocked and use SSL encryption of something different instead, but closing ports in my opinion is more disruptive than handing out a slip of paper when a customer brings a laptop in.
    This isn't a college campus where everyone that comes through has to register their computers, your users are somewhat technology literate, and everyone stays in the system for months at a time. This is a hotel where the entire guest population changes on a daily basis and the computer literacy level is often rock bottom. Guests will not want to deal with the hassle. The entire "tech staff" at a hotel usually consists of a single page of instructions in the hotel room, and the on-site employees are usually just about as computer literate as the guests. (In many cases they might actually say that the on-site staff cannot help you troubleshoot your wi-fi connection.) When you have a controlled network you can enforce draconian security policies. But if you do it wrong, your guests will complain about the poor service and poor Internet connection you provided them.

    Quote Originally Posted by arjones85 View Post
    Blocking port 25 is fine and dandy, but I really do think using a WPA key is the answer, as it will not only prevent outside intruders from gaining access to your network, but also provide a level of security for your customers so that you don't have any unsavory individuals sniffing passwords on an open network.
    The hotel is not concerned with security. The only reason they are offering wi-fi is because everyone else is doing it. Therefore, to be competitive, they offer just enough service to compete with other hotels. That does not have to include encryption, and the hotel makes no guarantee as such. Besides, just because you include WPA does not guarantee that your guests will not be sending spam from their computers (whether voluntarily or involuntarily).

  7. #7
    I think that the administrative overhead would come from trying to walk an end-user through typing in a really long string in their wi-fi settings on their computer. Most users will not know how to set up a new wi-fi connection, set the encryption settings, set the encryption key (good luck trying to find a typo in a 50 character string), etc., not to mention the people that will be calling in after they leave your hotel because the changes you forced them to make have now broken their home or work wi-fi settings. Do you really want to hire a separate tech staff to talk users through this? What if your hotel has 300+ rooms?
    You are thinking of WEP. I said WPA. WPA keys are transparent in that they are nothing but regular words or whatever you set the password as. The password can be as simple as "hotelwifi." If you can't type "hotelwifi" in without making a typo, you don't deserve to have a computer

    It also would not have an effect on any other wireless connection the person may or may not have had, as the router's settings would not interfere with any other settings stored on the laptop. You have used wireless before right? Did the act of you typing a WPA key in for a connection later affect you ability to connect to a different connection? It isn't supposed to, and it doesn't for me.


    This isn't a college campus where everyone that comes through has to register their computers, your users are somewhat technology literate, and everyone stays in the system for months at a time. This is a hotel where the entire guest population changes on a daily basis and the computer literacy level is often rock bottom. Guests will not want to deal with the hassle. The entire "tech staff" at a hotel usually consists of a single page of instructions in the hotel room, and the on-site employees are usually just about as computer literate as the guests. (In many cases they might actually say that the on-site staff cannot help you troubleshoot your wi-fi connection.) When you have a controlled network you can enforce draconian security policies. But if you do it wrong, your guests will complain about the poor service and poor Internet connection you provided them.
    Again, the password is nothing more than "hotelwifi." Not difficult, no overhead required. Windows, Linux, and MacOS are both nice enough to even pop a box up and say "hey you need a password." No checkboxes are even needed to be checked. I have yet to see a laptop that ran an OS that was at least Windows 98SE that had problems with that, and I have worked on TONS of machines. (Granted the wireless capability came from third party software, but still it worked flawlessly...)

    The hotel is not concerned with security. The only reason they are offering wi-fi is because everyone else is doing it. Therefore, to be competitive, they offer just enough service to compete with other hotels. That does not have to include encryption, and the hotel makes no guarantee as such. Besides, just because you include WPA does not guarantee that your guests will not be sending spam from their computers (whether voluntarily or involuntarily).
    You are correct that including security measures to keep outside people off of your network does not guarantee your guests won't be sending spam, however I think it is a nice first step before closing ports off.

  8. #8
    Join Date
    Feb 2008
    Location
    Montreal, QC
    Posts
    18
    I don't work with residential linksys routers but how many keys can you setup? changing the key on a set schedule will disrupt current guests who got the key and have not left.

    The issue here is still irrelevant, you are missing the point. I would be willing to bet money that the spam is being sent by zombie software installed on the laptops of these individuals. It would be quite difficult to send millions of messages through basic network connection as such, especially over wireless, and on top of that, what spammer sending millions of messages is going to use a wireless access point within reach of his house... this does not fit the profile of "professional spamming" and port25 block is still the most effective/economical/low-impact solution I think this site could deploy.

    It is actually *very* common these days for isp's to block port25 connections to anything accept their own server. They only allow connections to their smtp servers, and sending your own mail through their servers is sure to result in a poor delivery success rate considering anti-spam/spf/etc these days. Most hosting companies now give you an alternate port to send mail which also requires authentication, for example 26 is quite popular.
    Last edited by uptimearchive; 02-12-2008 at 06:12 PM.

  9. #9
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    I think both sides have made good points.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  10. #10
    Join Date
    Mar 2004
    Location
    Sweden
    Posts
    72
    set up a smtp rate limiting on your smtpserver. forward all smtp trafik from the router to it. Now you can controll all emails. A spammer would not want to wait minutes to send his messages. A regular user can still send emails as long hi does not hit the rate limit.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •