Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)

James Hess mysidia at gmail.com
Tue Jun 19 02:23:57 UTC 2007


On 6/18/07, Suresh Ramasubramanian <ops.lists at gmail.com> wrote:
> On 6/18/07, Jeroen Massar <jeroen at unfix.org> wrote:
> > Of course, though 25 is (afaik ;) the most abused one that will annoy a
> > lot of other folks with spam, phishings and virus distribution, though
> > the latter seems to have come to a near halt from what I see.

[snip]
> As Joe says (and I agree), trying to fix infected hosts on your
> network by blocking port 25 is like treating lung cancer with cough
> syrup.

Perhaps, but I think someone possibly misunderstood the goal behind
blocking port 25.
It doesn't "fix" an infected host, the point is to mitigate one of the
attack vectors
by which the infection could spread to new clean hosts, to reduce the
range of possible
attacks/spreading techniques infected host could launch --

in some cases, the spread will stop entirely, if the particular
software spreads only
by connecting to destination mail servers on port 25, and while the
hosts may still be
infected, there is much less harm (in terms of automatically spamming
and spreading to other hosts) that will be possible, with port 25
blocked.

Preventing hosts from just SMTP'ing out just anywhere they like
creates a new hurdle
for any infection to get over to spread; now any malware suddenly
needs to figure out a
SMTP server to use, and a username and password to use with SMTP authentication,
and any other restrictions imposed by the ISP outgoing MTA.

Think of it as having people infected with TB wearing masks while they
are in public.

It certainly doesn't cure them of the disease, that's not the point.
It's for the protection of possible hosts not yet infected by the parasite.

It's no guarantee that the disease doesn't ever spread to someone else, but
the opportunity for airborne spread is slightly reduced, and that's the goal.

--
-J



More information about the NANOG mailing list