Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)

Douglas Otis dotis at mail-abuse.org
Tue Jun 19 16:46:27 UTC 2007


On Jun 19, 2007, at 8:35 AM, Suresh Ramasubramanian wrote:
> On 6/19/07, Leigh Porter <leigh.porter at ukbroadband.com> wrote:
>> Agreed, SMTP is not really a special vector, other than it's  
>> obvious commercial spam use. So just block all the usual virus  
>> vector ports, block 25 and force people to use your own SMTP  
>> servers and the problem [for] this particular one goes away..
>
> No. the part of it you target (outbound spam) merely relocates  
> itself, and your smtp servers become huge spam sinks.  Filter all  
> you want and you'll still leak spam unless you take those hosts down
>
> And in the meantime those hosts will also be launching dos attacks,  
> hosting "fast flux" pills / warez / kiddy pr0n sites, carrying out  
> id / card theft .. best to isolate and take them down.
>
> You can port block at your edge till you burst and you'll still be  
> in a lot of hot water.

Web-site/browser vulnerabilities make ISP efforts largely futile.   
Infection rates easily overwhelm aggressive automated detection and  
wall-garden strategies.  Nevertheless, blocking port 25 offers  
several benefits even for this seemingly failing effort.  Messages  
can be rate limited, where delivery errors also provide direct clues  
as to which system are likely infected.

Web related script vulnerabilities impact some of the largest online  
email providers!  In the zeal to enable advertising, customer  
accounts are easily harvested.  These accounts may also receive  
password updates from other accounts, placing even critical financial  
information at risk.  Every compromised account is then able to  
impersonate owners, utilize their address book and entice further  
infections by offering malware related messages.  The malware might  
appear as seemingly harmless links or documents.  Email is a vector  
that must be watched carefully, however the greater danger is with  
web/browser vulnerabilities.

Complacency permitting, and at times even promoting use of known  
defective products must end.  The era of combining scripts and active  
code along with every piece of information conveyed must end.  Unless  
the Internet industry responds effectively, legislators will likely  
to react in their own futile way.

Less is more.  A document MUST NOT require active code to convey  
information.

-Doug





More information about the NANOG mailing list