nanog mailing list archives
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
From: Jack Bates <jbates () brightok net>
Date: Mon, 18 Jun 2007 11:32:59 -0500
Suresh Ramasubramanian wrote:
MAAWG's port 25 management document is kind of based on consensus. Joe is a senior tech advisor at MAAWG. contributed substantially to that document .. and those two presentations were made at a maawg (san diego in 2005 if I remember right) so ..
Joe also pointed out the biggest problem with blocking port 25; it pushes the abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to be regulated more closely. Support must be increased to deal with customers that have legitimate large scale outbound needs and will need smarthost restrictions lifted. A certain amount of spam leakage must be expected out of the smarthost, but most recipients won't know or take the time to tell the difference. This leads to more blocking of the smarthosts, which causes more issues for a larger number of customers.
I'd rather monitor and filter traffic patterns on port 25 (and the various other ports that are also often spewing other things) than block it. It's not unusual to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025. A detection of both network scans and correlating inbound connections to outbound tcp/25 leads to a lot of good proactive automation. Spam abuse may be the most publicly annoying use of trojans/bots, but it's probably the least destructive use (debatable).
Jack
Current thread:
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help), (continued)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Jeroen Massar (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Suresh Ramasubramanian (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Sean Donelan (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Suresh Ramasubramanian (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Sean Donelan (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Suresh Ramasubramanian (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Sean Donelan (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Suresh Ramasubramanian (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Per Heldal (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Suresh Ramasubramanian (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Jack Bates (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Suresh Ramasubramanian (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Leigh Porter (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) James Hess (Jun 18)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Jack Bates (Jun 19)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Leigh Porter (Jun 19)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Suresh Ramasubramanian (Jun 19)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Douglas Otis (Jun 19)
- Breaking new laws by quarantining infected (l)users J. Oquendo (Jun 19)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Leigh Porter (Jun 19)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Sean Donelan (Jun 20)