Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
Suresh Ramasubramanian
ops.lists at gmail.com
Mon Jun 18 16:34:56 UTC 2007
On 6/18/07, Jack Bates <jbates at brightok.net> wrote:
> Joe also pointed out the biggest problem with blocking port 25; it pushes the
> abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to
So .. great. You have a huge spam problem that flew under your radar
as it was spread across multiple /24s or far larger netblocks, now
concentrated within far fewer servers that are part of the same
cluster. That kind of makes your job a bit easier then .. half full
glass v/s half empty glass, and all that.
> I'd rather monitor and filter traffic patterns on port 25 (and the various other
> ports that are also often spewing other things) than block it. It's not unusual
> to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025.
[...]
Which is what a lot of the kit Sean posted about does ..
srs
--
Suresh Ramasubramanian (ops.lists at gmail.com)
More information about the NANOG
mailing list