[plug] Blacklisted mail server?

Alex Nordstrom lx at se.linux.org
Sat May 6 11:15:40 WST 2006 

Saturday, 6 May 2006 10:36, Ben Jensz wrote:
> Alex Nordstrom wrote:
> > I hope you don't just drop those mails and forget about it. If a
> > machine is spewing things that you are able to detect, it's
> > probably not long before it spews something you don't detect, or
> > before the system moves to a less vigilant ISP.
>
> But the majority of connecting IP addresses that you are rejecting
> etc. are compromised hosts.  Not servers setup as open relays or open
> proxies. 

Either way, the person responsible for the system can't do anything 
about it unless they know about it.

> As I said in one of my earlier posts, spammers are 
> harnessing bot nets which are truly massive in size (thousands of
> exploited hosts) to send spam.  As soon as an ISP gets reports and
> shuts down an exploited host, the damage has already been done and
> there are more compromised hosts coming online for the spammer.

Bot nets operate by using exploited systems to find other exploitable 
system, so if you stop one, you *will* prevent some others from being 
exploited. It seems like you're saying that it's such a big problem 
that we should ignore it.

> But the real issue is that the majority of spam you receive won't be
> coming from Australian ISP users.  It will be coming from overseas.

I don't particularly care where spam or security attacks originate. I 
have only two .au e-mail addresses out of just over a dozen, so those 
who target Australian addresses in particular are not of any special 
insterest to me. Also, I do get plenty of DDoS attempts and SSH attack 
attempts from within Australia, probably proportional to what you see 
from European countries when adjusted for infrastructure size.

> But the majority of the users being exploited who are connected to
> Australian ISPs will be being used to send spam to overseas
> destinations.  This is what I see 95% of the time with customers
> being exploited... the spam destination is pretty much always
> overseas.
>
> So no matter what Australian ISPs do to prevent spam originating from
> their users, it doesn't really stop spam from being sent to you as
> such.

So since reporting exploit attempts from Australian systems doesn't 
reduce spam sent to Australians, I shouldn't bother?

> I think several other Australian ISPs also block certain ports for
> customers (particularly for those on dynamic IP ranges), so some ISPs
> do have measures in place to protect some of their customers for
> certain things.

Yes, II Net blocks 22, 25, 80 (and perhaps a few more) by default. I 
just wish more ISPs would block UDP 1900 as well. I think few people 
realise how frequently used that vulnerability is, and there no reason 
for a LAN discovery protocol to traverse the Internet.

> But there is no silver bullet solution.  When dealing with anything
> such as this, what is deemed to be a good technical solution may not
> be what is practical for your customers, and there does have to be a
> point where customers are taking some level of responsibility in
> securing their computers. 

And they will never do that unless their ISPs show them that they are 
accomplices in computer intrusions and porn spam operations, which is 
why ISPs need to take a more active stance, grow some balls, and start 
following up on offenders that just happen to be their customers.

> In that they should be using anti-virus 
> software if they are running Windows, and should be firewalling their
> system no matter what OS they are running (yes, Linux included).

A well-configured Linux system *is* a firewall. The reason Windows needs 
firewalls is to prevent programs and malware from listening to ports 
they shouldn't be listening to. It's the same ex post facto approach as 
using anti-virus programs instead of fixing the security holes.

-- 
Alex Nordstrom
http://lx.n3.net/
Please do not CC me in followups; I am subscribed to plug.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060506/c7492658/attachment.pgp>

More information about the plug mailing list