Re: Proposal: how to notify owners of compromised PC's

[Åke Nordin <rootmoose () telia com>]

Hi there, I'm new here. <bait/> ;^)

This thread should probably die soon, but...

At 02:31 2004-01-29 -0600, Phil Brutsche wrote:
> petard wrote:
 . . .
> > At any rate, blocking port 25 is a half-assed solution to a problem that
> > needs to be solved at the MUA, not the MTA or MSA.
>
> Someone's irresponsible use of their MUA is not the only problem. Blocking outbound TCP port 25 stops a virus/worm and 
> spam problem that's caused by more than just crap like the Mydoom variants.
>
> It may be "half-assed" but it's easier and more effective than getting you-know-who to fix their sorry excuses for 
> mail clients and/or getting end users to not be such morons.

Yes, as a quick and dirty solution it is indeed effective. And the sad,
misled, blackhat-toting types wins another victory: the Net abandons yet
another set of RFC requirements. ISP's strangling outbound SMTP makes me
think of the Redmond way of "fixing" problems. This may be an entirely
appropriate analogy since the root cause is the inbreed that plagues
the Net where the vast majority of systems have the same exploitable
bugs.

The ability to make a direct connection from the sending MUA to the MX of
the receiver is a critically important feature for at least two reasons
that has not been mentioned in this thread:

 - Sensitive information you don't want lying around in a third party
   mail spool (if I was opposing the dictatorship, I would certainly
   not want them to trawl for my mails at a convenient central mail hub).

 - Nomadic users may in certain situations not even know which is their
   upstream provider accepted mail relay. Relentlessly reconfiguring
   your MUA's SMTP using wild guesses of working mail relay names is not
   my kind of fun, and I don't think I'm alone using CygWin on my
   "Corporate Standards Compliant" notebook just to run a reasonably
   respectable and dependable MTA for my mail routing.

It is noteworthy that telia.com loudly announced that they would block
outgoing SMTP, but rather quietly ceased doing so. The period of SMTP
block must have been very brief, since I can't recall it ever affecting
me, and at the time telia.com was my sole access. They do however scan
mails that passes their servers, replacing positives with notifiers and
a copy of the headers of the deleted mail and instructions on how to
circumvent the scanning should the positive be a false one.

Cheers,


-- 
  .
 /Ake Nordin       +46704-660199       rootmoose () telia com
 Duston Sickler: "There are only 10 types of people in the
 world, those who understand binary and those who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html