North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)

  • From: Suresh Ramasubramanian
  • Date: Mon Jun 18 07:32:46 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=i0PXikQjhA5YJ7u9MO/HL5lHBRhYNkhiRBg7SzS9scmxIyd7ohyjT2YWGsxIA8CpbXjC+HA2qca4GGPQCJd/hUn/Av1C/ViNbJ//oF1T+egXhw3opXvLEh53zlgUDBk0ZFt0kLFwxvKIGkOBpjtuL1H3LsWuvsc3wmraPbyOIE0=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MDN64Ho1hskt8BE71dgxY8GfHJVbZ7DAhJFLRYKyDAVAFYYqVjzEm2tqpoZ+x39/2KeKCmBJ0mIgxQGtBY/WDOsw3jBFWkD8trdEE2F+dwcXZKd/pGkf5Ow/sm+cGTlLruMiHz9Zbii3wP7v4qiuTCtvaYzv2HSNchmCJGoGUV0=

On 6/17/07, Jeroen Massar <[email protected]> wrote:

IMHO ISPs should per default simply feed port 25 outbound through their
own SMTP relays. BUT always have a very easy way (eg a Control Panel
behind a user/pass on a website) to disable this kind of filtering. This

Y'know, port 25 is just the tip of the iceberg when it comes to what all an infected host can do .. which is why quite a lot of ISPs (Bell Canada is particularly good at it, as are some others) are getting good at deploying "Walled Gardens" - vlan the infected host into its own little sandbox from where it can access only windows update, AV update sites and the ISP's support pages, nothing else, on any port.

The user has to fix (disinfect, reimage, whatever) his host before he
contacts the ISP support desk and gets let back onto their network.