Full Disclosure mailing list archives
Re: Proposal: how to notify owners of compromised PC's
From: petard <petard () freeshell org>
Date: Thu, 29 Jan 2004 04:36:25 +0000
On Wed, Jan 28, 2004 at 09:20:24PM +0100, Thomas Zangl - Mobil wrote:
As I said before, the ISP _HAS_ to provide an alternative mail relay, open for every FROM address the user whishes to use. (If it?s legal or not thats another point). If you really need access to YOUR smtp server, it should be possible to configure your MTA to listen to an alternative port than 25 too. I use this kind of setup for myself as I?m "smtp firewalled" the way I?ve described above.
You don't understand. My organization (example.com) has its MTAs configured such that we ONLY accept mail claiming to be FROM example.com if it is relayed by MSAs which ONLY accept mail from our users, who can only connect to those using TLS connections which are authenticated using X.509 certificates. I cannot send mail to someone at example.com from my example.com address using any other party's server. It was not *difficult* to configure the various MSAs to listen on alternate ports as well, nor to open the firewalls such that the clients could connect there. But it had to clear a change control process which has some lead time to it. And I had to waste my time and my admin's time working around my ISP.
The benefit (in my opinion) would be greater, in my enviroment, then the loss of freedom individual users will suffer. In case of static IP?s ISPs might be able to offer exceptions.
Unless we fix the clients, the benefit will not be there long term. You *might* see spam confined to spam-friendly ISPs and therefore more easily filtered, but you will not see less malware. There are too many other vectors, and ISPs may not legally be able to virus-check every message they transmit. (They'd certainly *risk* their common carrier status by performing this filtering.) We'll just have malware going through ISP servers, proxies, kazaa, etc. as so much of it already does. regards, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re:Proposal: how to notify owners of compromised PC's, (continued)
- Re:Proposal: how to notify owners of compromised PC's Thomas Zangl - Mobil (Jan 28)
- Re: Re:Proposal: how to notify owners of compromised PC's Jonathan A. Zdziarski (Jan 28)
- Re:Proposal: how to notify owners of compromised PC's Erik van Straten (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's Phil Brutsche (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's Phil Brutsche (Jan 29)
- Re: Proposal: how to notify owners of compromised PC's Åke Nordin (Jan 29)
- Re:Proposal: how to notify owners of compromised PC's Thomas Zangl - Mobil (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's Dave Sherohman (Jan 29)