[plug] Blacklisted mail server?

[Ben Jensz]

Alex Nordstrom wrote:
>
> I hope you don't just drop those mails and forget about it. If a machine 
> is spewing things that you are able to detect, it's probably not long 
> before it spews something you don't detect, or before the system moves 
> to a less vigilant ISP.
>
>   
But the majority of connecting IP addresses that you are rejecting etc. 
are compromised hosts.  Not servers setup as open relays or open 
proxies.  As I said in one of my earlier posts, spammers are harnessing 
bot nets which are truly massive in size (thousands of exploited hosts) 
to send spam.  As soon as an ISP gets reports and shuts down an 
exploited host, the damage has already been done and there are more 
compromised hosts coming online for the spammer.

Spammers don't care if only 10% of their email sent reaches the intended 
target.  10% is a bloody large number of messages with the amount of 
spam that is sent.  And the reason why spammers still spam?  Because 
there are bloody morons out there who click on links in spam and buy 
things from the companies that are being advertised in the spam.

They also seem to like backscatter attacks as well increasingly... which 
is fantastic when you've got Microsoft's best practice for Exchange (and 
the default setting I believe) to accept all email for your domain and 
then generate mailer-daemons after accepting the message for 
non-existent recipient addresses on your domain.

> I'm actively reporting attacks against my mail server (surprisingly 
> few), against my SSH server, and against my HTTP server (mostly weakly 
> DDoSing Windows machines with UDP port 1900 open to the world, but also 
> Horde and XML RPC exploits these days), and its frightening to see the 
> complacency amongst ISPs.
>
> <snip>
>
> Most of the time, the messages go through, though, but I wonder if any 
> action is ever taken. I've been nagging several ISPs, including II Net, 
> to drop UDP 1900 at their network borders, and you can tell they don't 
> listen, because the zombie HTTP pings just keep coming.
>
>   
But the real issue is that the majority of spam you receive won't be 
coming from Australian ISP users.  It will be coming from overseas.  But 
the majority of the users being exploited who are connected to 
Australian ISPs will be being used to send spam to overseas 
destinations.  This is what I see 95% of the time with customers being 
exploited... the spam destination is pretty much always overseas.

So no matter what Australian ISPs do to prevent spam originating from 
their users, it doesn't really stop spam from being sent to you as such.

Westnet has a port blocking system (that users can turn off, but is on 
by default) that blocks a fair variety of ports.  Details here: 
http://support.westnet.com.au/al/12/1/article.asp?aid=1213&tab=search&bt=4n

I think several other Australian ISPs also block certain ports for 
customers (particularly for those on dynamic IP ranges), so some ISPs do 
have measures in place to protect some of their customers for certain 
things.

But there is no silver bullet solution.  When dealing with anything such 
as this, what is deemed to be a good technical solution may not be what 
is practical for your customers, and there does have to be a point where 
customers are taking some level of responsibility in securing their 
computers.  In that they should be using anti-virus software if they are 
running Windows, and should be firewalling their system no matter what 
OS they are running (yes, Linux included).


/ Ben