Providers removing blocks on port 135?

• Previous message (by thread): Providers removing blocks on port 135?
• Next message (by thread): Providers removing blocks on port 135?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 20 Sep 2003 15:05:08 -0700
Owen DeLong <owen at delong.com> wrote:

| I'm not convinced blocking port 25 on dialups helps much with that.
| What it does help with is preventing them from connecting to open
| relays.

There are so few open relays now that spammers have moved on.  They
now use, almost without exception, compromised Windows boxes acting as
open proxies, or on which a trojan spam-sender of some sort has been
installed - usually by one of the recent stream of viruses/worms.

Blocking outbound port 25, other than via a designated smarthost, would
at least prevent the direct-to-MX traffic from compromised boxes - which
currently seems to be the spammers "method of choice".

| The real solution in the long run will be two-fold:
| 1. Internet hosts need to become less penetrable.
|    (or at least one particular brand of software)
| 
| 2. SMTP AUTH will need to become more widespread and end-to-endish.

Right on both counts.  But "end-to-end" may have to include the senders'
fingers: as if bundled mail-client software contains the AUTH password
it will be trivial for the spammers to hijack at the client level.

And users won't like having to key in their password each time, meaning
that trivial, guessable passwords will often be used.  In recent weeks
one particular spammer seems to have perfected a knack of breaking SMTP
AUTH passwords on a widespread basis.

Governments on both sides of the Pond may be reluctant to make spam
illegal, but the issue is not spam (or we couldn't be discussing it here).
This is a matter of system and network security, and if law enforcement
had the skills, resources and motivation to deal with what are clear
breaches of existing laws, admins' jobs would be significantly easier.

Until then, we have to deal with issues as they arise.  Networks need to
be contactable quickly when compromised sites start to be misused, and
to respond immediately.  Not just wait until "Monday Morning" in their
timezone ... if we can't deal with the incidents in real time, how can
we expect law enforcement to do anything?

Hello Comcast, Skynet, Ireland-onLine, NTL in the UK ... need I go on?
Where's Declan McC when we need him?

-- 
Richard

• Previous message (by thread): Providers removing blocks on port 135?
• Next message (by thread): Providers removing blocks on port 135?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]