Re: Wired mag article on spammers playing traceroute games with trojaned boxes

[Michael.Dillon () radianz com]

> I mentioned before that it doesn't really make much sense with web 
> hosting because the port can easily be changed so it's not very effective 

> at all. 

Stop thinking of policing the user and start
thinking of providing a security service. The
default setting of the security service might
include a block on port 80 inbound, but if the
user needs to enable this traffic, give them a
web form that they can use to reconfigure their
settings.

Or, if you can't handle such a variety of
individual ACLs on your equipment, give them
the option of buying a broadband router with 
a recommended default config and un-blocked
service.

If the user has to intervene in order to enable
a server type application to function, that
makes it a lot harder for trojan exploits to
take hold.

--Michael Dillon