North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)

  • From: James Hess
  • Date: Mon Jun 18 22:26:32 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nY9GpeykvmdQ5OZYsZCLRLMDmYtYw7X3JWWqWpYxs2xM7kjP8TESi0uPk2J50NwiUBfE+wt3uPdAbJIOeVq56k2a/bCOYTAsw4z/MBSk+ZwM+L4Yqda64BJ17PQ2gkYJj5NcDN6aQCKsjMwTn8QqJK1nex4DCYqhDRhrUMx7+SI=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uuhYZXoWgC6asolHLKhk4Es3HejRS9Pk5odFSfmwy9kjCVAXteIzIMWws1yuD5tSv9JLILR9I2LAf+9Sx12JkXWDixXmmS4ltS0H1meYlF489ZmSbCLMMZ3rfpOKLOcAcaRRGe5xeRaIj54qqEYDt9/voA4F/9tJpSAEb/Ij3T4=

On 6/18/07, Suresh Ramasubramanian <[email protected]> wrote:
On 6/18/07, Jeroen Massar <[email protected]> wrote:
> Of course, though 25 is (afaik ;) the most abused one that will annoy a
> lot of other folks with spam, phishings and virus distribution, though
> the latter seems to have come to a near halt from what I see.

As Joe says (and I agree), trying to fix infected hosts on your
network by blocking port 25 is like treating lung cancer with cough

Perhaps, but I think someone possibly misunderstood the goal behind blocking port 25. It doesn't "fix" an infected host, the point is to mitigate one of the attack vectors by which the infection could spread to new clean hosts, to reduce the range of possible attacks/spreading techniques infected host could launch --

in some cases, the spread will stop entirely, if the particular
software spreads only
by connecting to destination mail servers on port 25, and while the
hosts may still be
infected, there is much less harm (in terms of automatically spamming
and spreading to other hosts) that will be possible, with port 25

Preventing hosts from just SMTP'ing out just anywhere they like
creates a new hurdle
for any infection to get over to spread; now any malware suddenly
needs to figure out a
SMTP server to use, and a username and password to use with SMTP authentication,
and any other restrictions imposed by the ISP outgoing MTA.

Think of it as having people infected with TB wearing masks while they
are in public.

It certainly doesn't cure them of the disease, that's not the point.
It's for the protection of possible hosts not yet infected by the parasite.

It's no guarantee that the disease doesn't ever spread to someone else, but
the opportunity for airborne spread is slightly reduced, and that's the goal.