North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Stopping open proxies and open relays

  • From: Guðbjörn S. Hreinsson
  • Date: Wed Feb 18 03:59:43 2004

> >I am looking for ideas to stop the spam created by compromised Windows 
> >PC's. This is not about the various worms and viruses replicating but 
> >these boxes acting as open relays or open proxies.
> >
> >There are valid reasons not to run antivirus software, coupled with 
> >clueless users, this results in machines that SPAM again just a few hours 
> >after having been cleaned.
> 
> First step is correctly to specify the system's properties.
> 
> Yours is not a technical issue but one of user negligence.   You have
> to build the solution around this fact.

I don't agree with this. It's almost impossible to "secure" windows machines. 
Even applying all patches as soon as they come out doesn't make sure you 
are "safe". Given, this applies to all operating systems, but the rate of windows 
patches is sure to throw users into a state of "this is impossible to keep up". 
I've seen machines become compromised even when fully patched only to 
realize what happened when the next MS patch came out - just look at how 
long it took MS to fix the ASN.1 issue.

We can't continue to blame end users for negligence but also keep delivering 
crappy software to them. Why not blame Microsoft? Why not blame legislation 
for allowing vendors to deliver insecure applications and systems?

> Curative measures that have worked elsewhere are:
> 
> 1-Scan every client when it accesses

What are you going to scan for? Specific ports or all ports? That's going 
to take awhile and who knows what's going to happen to the guy on the 
other line. Keep in mind that the current spam proxies do not listen on 
fixed ports and they change quite often. While you scan the proxy app 
may even move from an unscanned port to a scanned port. So a client 
you though secure is not.


Rgsd,
-GSH