North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The worst abuse e-mail ever, sverige.net

  • From: Mike Nice
  • Date: Wed Sep 22 11:14:49 2004

> Blocking just hides it. I used to believe in port blocking as the solution
> to many user problems but now I have 3 and 4 page ACL's
> on my border routers.  This does not scale. Yes, I could push this out via
> radius to the NAS but again this does not solve the problem.

> The solution I am working toward is quickly identifying user infections.
>We are almost there. I collect and record
> all traffic from the users going to dark space and am almost finished with
> the system that will identify who held that
> IP at a specific time. It is all in SQL so that is easy.

Our system is similar, except we block port 25 completely via RADIUS after
we detect an outgoing virus or spam, then notify the customer.  This
eliminates the ACL's on the border routers.  The user can still surf freely
to download patches while not causing further damage.  Some users just don't
want to be bothered and just use webmail to send E-mail and keep the block
forever.