North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Jason Frisvold
  • Date: Thu Feb 03 12:19:40 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=fSTcOqc6050iDaXevgRiglxiLWcQmrtBaMIluOTsng1Y0kQbT8BgQTYEm/5x+STxWS6cTCDgdlnPEKcThfpcO5aolzj2VnHmXd/OvOcDvYcCxgydULsHm9sOLa813G9GRexigwOFGFMtG8gJTFldRDNezLbOTifEHwtp4OR/C5k=

On Thu, 03 Feb 2005 17:54:28 +0200, Gadi Evron <[email protected]> wrote:
> Still, please tell me, how is not blocking un-used or un-necessary ports
> a bad thing? It is a defensive measure much like you'd add barricades
> before an attack.

Agreed.  And depending on your service, there are different ports
worth blocking.  For residential users, I can't see a reason to not
block something like Netbios.  And blocking port 25 effectively
prevents zombies from spamming.  Unfortunately, it also blocks
legitimate users from being able to use SMTP AUTH on a remote server..
> They now evolved, and are using user-credentials and ISP-servers. This
> evolution means that their capabilities are severely decreased, at least
> potentially.

Has this been confirmed?  Does this new worm, in fact, use SMTP AUTH
where necessary?  Will it also check the port that the user's computer
is set to send mail on?  So, for instance, if SMTP AUTH is required,
and the mail submission port is being used rather than standard port
25, will the worm detect all this?

The nice part about SMTP AUTH, though, is that there is at least a
direct link to the user sending the spam.  This means, of course, that
ISP's will need to police their users a little better..  :)
> It means ISP's will have to re-think their strategies, just like AOL
> did. It also means it's once small step to victory for us. We are a long
> way from it, and please - not everybody blocks port 25 so current-day
> worms are more than efficient still.

So I guess users will have to stop clicking that "Save Password"
button...  That is, until the worm records the keystrokes when the
password is entered...  *sigh*

>         Gadi.

Jason 'XenoPhage' Frisvold
[email protected]