Re: Quarantine your infected users spreading malware

[Gadi Evron <ge () linuxbox org>]

Frank Bulk wrote:
> We're one of those user/broadband ISPs, and I have to agree with the other
> commentary that to set up an appropriate filtering system (either user,
> port, or conversation) across all our internet access platforms would be
> difficult.  Put it on the edge and you miss the intra-net traffic, put it in
> the core and you need a box on every router, which for a larger or
> graphically distributed ISPs could be cost-prohibitive.

I have a question here, do you have repeat offenders in your abuse desk 
who are of the malware-sort rather than bad people? Can these be put in 
a specific group?

> In relation to that ThreatNet model, we just could wish there was a place we
> could quickly and accurately aggregate information about the bad things our
> users are doing -- a combination of RBL listings, abuse@, SenderBase,
> MyNetWatchman, etc.  We don't have our own traffic monitoring and analysis
> system in place, and even if we did, I'm afraid our work would still be very
> reactionary.
>
> And for the record, we are one of those ISPs that blocks ports 139 and 445
> on our DSLAM and CMTS, and we've not received one complaint, but I'm
> confident it has cut down on a host of infections.

Would you happen to have statistics on how far it did/didn't help reduce 
abuse reports, tech support calls, etc.?

Thanks!

> Frank

        Gadi.