[plug] Blacklisted mail server?

Ben Jensz plug at jensz.id.au
Sat May 6 13:24:25 WST 2006 

Alex Nordstrom wrote:
> Either way, the person responsible for the system can't do anything 
> about it unless they know about it.
>
>   
This is true.  Unfortunately some ISPs that don't take this seriously at 
all.  I've personally found the worst offender for this in Australia to 
be Bigpond.  They are the largest ISP in the country and their abuse 
reporting system is pathetic.

There are a number of other ISPs in Australia that do deal with abuse 
responses appropriately and even an automated response is better than 
nothing.  At least then you have an acknowledgment that they do have a 
system for handling abuse reports - even if you don't get a human response.

> Bot nets operate by using exploited systems to find other exploitable 
> system, so if you stop one, you *will* prevent some others from being 
> exploited. It seems like you're saying that it's such a big problem 
> that we should ignore it.
>   
No, I'm not saying that.  I'm saying that these are all reactive 
responses to a problem that has already taken place.  Basically all 
you're doing is putting out the spot fires, when the person with the 
matches is still running loose.  Unfortunately its too easy for 
companies to make money out of sending spam and get away with it (both 
the spammers, and the companies whose goods/services are being flogged off).

> I don't particularly care where spam or security attacks originate. I 
> have only two .au e-mail addresses out of just over a dozen, so those 
> who target Australian addresses in particular are not of any special 
> insterest to me. Also, I do get plenty of DDoS attempts and SSH attack 
> attempts from within Australia, probably proportional to what you see 
> from European countries when adjusted for infrastructure size.
>
>   
With probably a fair amount of these probes being from compromised 
systems anyway.  So you'll never really track down the person(s) 
responsible.  But the more compromised systems that are taken down, the 
better, no matter where they are.

>
> So since reporting exploit attempts from Australian systems doesn't 
> reduce spam sent to Australians, I shouldn't bother?
>
>   
Yes, you should bother.  Every bit does help, but unfortunately because 
of all of the people / providers who don't care - I don't see the 
situation getting better anytime soon unfortunately.

> Yes, II Net blocks 22, 25, 80 (and perhaps a few more) by default. I 
> just wish more ISPs would block UDP 1900 as well. I think few people 
> realise how frequently used that vulnerability is, and there no reason 
> for a LAN discovery protocol to traverse the Internet.
>
>   
It's probably far less of a risk to the majority of end users than a lot 
of other exploits that are blocked.  Some of this comes back to software 
companies though, and them taking responsibility for their bug ridden 
software that allows these exploits to take place at all.

>
> And they will never do that unless their ISPs show them that they are 
> accomplices in computer intrusions and porn spam operations, which is 
> why ISPs need to take a more active stance, grow some balls, and start 
> following up on offenders that just happen to be their customers.
>
>   
But your typical user isn't going to understand this.  They don't see 
this as being something they have done to cause these sort of things 
from happening.  You can't really label them as offenders, essentially 
they are victims as well.  Even if it is through lack of education about 
these sort of issues.
>
> A well-configured Linux system *is* a firewall. The reason Windows needs 
> firewalls is to prevent programs and malware from listening to ports 
> they shouldn't be listening to. It's the same ex post facto approach as 
> using anti-virus programs instead of fixing the security holes.
>   
But viruses will always exist, and often the most successful ones 
require user intervention to be executed in the first place.  So as 
such, there is no security hole to exploit for a virus to spread if it 
requires a user to open the attachment.  Having security holes does make 
it easier for things to be exploited, but people will always be the main 
factor.

It could be argued that a well-configured Windows system will be fairly 
safe as well.  The problem is that the majority of Windows systems 
aren't well-configured.. because they are left at default settings for 
everything.


/ Ben

More information about the plug mailing list