Stopping open proxies and open relays
Guðbjörn S. Hreinsson
gsh at centrum.is
Wed Feb 18 08:57:40 UTC 2004
> >I am looking for ideas to stop the spam created by compromised Windows
> >PC's. This is not about the various worms and viruses replicating but
> >these boxes acting as open relays or open proxies.
> >
> >There are valid reasons not to run antivirus software, coupled with
> >clueless users, this results in machines that SPAM again just a few hours
> >after having been cleaned.
>
> First step is correctly to specify the system's properties.
>
> Yours is not a technical issue but one of user negligence. You have
> to build the solution around this fact.
I don't agree with this. It's almost impossible to "secure" windows machines.
Even applying all patches as soon as they come out doesn't make sure you
are "safe". Given, this applies to all operating systems, but the rate of windows
patches is sure to throw users into a state of "this is impossible to keep up".
I've seen machines become compromised even when fully patched only to
realize what happened when the next MS patch came out - just look at how
long it took MS to fix the ASN.1 issue.
We can't continue to blame end users for negligence but also keep delivering
crappy software to them. Why not blame Microsoft? Why not blame legislation
for allowing vendors to deliver insecure applications and systems?
> Curative measures that have worked elsewhere are:
>
> 1-Scan every client when it accesses
What are you going to scan for? Specific ports or all ports? That's going
to take awhile and who knows what's going to happen to the guy on the
other line. Keep in mind that the current spam proxies do not listen on
fixed ports and they change quite often. While you scan the proxy app
may even move from an unscanned port to a scanned port. So a client
you though secure is not.
Rgsd,
-GSH
More information about the NANOG
mailing list