North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)

  • From: Suresh Ramasubramanian
  • Date: Tue Jun 19 11:38:22 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=R+9nynM+OF6rDAGgAdjmBXRnCcLeVaROlIZTGy6o4Yp/JezvXTsSAIvZPSGs6wH/kBlIVLuZTkL1Ehl8OCVYYTYdnAQYIxhoIi31Rydqvthy6MLhopMKy+va7XTf9TMtgiiscep1rJY5dgmYUl63OP24aNiiG52Ip0+d9RM01YI=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=i3aain1dt+iEjHWXP0WXpLAEscQN/ApKnP72Bfd2yn9L7gg7X6hA6tKrWubBni+f7rHwd49g//lI6FMX9A8rr+xpQs65TP9zScyCf8nyKQHR+R5LQMHid9s9qroPgEt/HkZCU+pvh1jNYKXPBt2y5T2nmYyzDm3Va+ye6I7jLvs=


On 6/19/07, Leigh Porter <[email protected]> wrote:
Agreed, SMTP is not really a special vector, other than it's ovbious
commercial spam use. So just block all the usual virus vector ports,
block 25 and force people to use your own SMTP servers and the problem
9this particular one goes away..

No. the part of it you target (outbound spam) merely relocates itself, and your smtp servers become huge spam sinks. Filter all you want and you'll still leak spam unless you take those hosts down

And in the meantime those hosts will also be launching dos attacks,
hosting "fast flux" pills / warez / kiddy pr0n sites, carrying out id
/ card theft .. best to isolate and take them down.

You can port block at your edge till you burst and you'll still be in
a lot of hot water.

--
Suresh Ramasubramanian ([email protected])