|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
Suresh Ramasubramanian wrote: MAAWG's port 25 management document is kind of based on consensus. Joe is a senior tech advisor at MAAWG. contributed substantially to that document .. and those two presentations were made at a maawg (san diego in 2005 if I remember right) so .. Joe also pointed out the biggest problem with blocking port 25; it pushes the abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to be regulated more closely. Support must be increased to deal with customers that have legitimate large scale outbound needs and will need smarthost restrictions lifted. A certain amount of spam leakage must be expected out of the smarthost, but most recipients won't know or take the time to tell the difference. This leads to more blocking of the smarthosts, which causes more issues for a larger number of customers. I'd rather monitor and filter traffic patterns on port 25 (and the various other ports that are also often spewing other things) than block it. It's not unusual to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025. A detection of both network scans and correlating inbound connections to outbound tcp/25 leads to a lot of good proactive automation. Spam abuse may be the most publicly annoying use of trojans/bots, but it's probably the least destructive use (debatable). Jack
|