[67719] in North American Network Operators' Group
Re: Stopping open proxies and open relays
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Gu=F0bj=F6rn_S._Hre)
Wed Feb 18 03:58:18 2004
From: =?iso-8859-1?Q?Gu=F0bj=F6rn_S._Hreinsson?= <gsh@centrum.is>
To: "Dr. Jeffrey Race" <jrace@attglobal.net>, <nanog@merit.edu>
Date: Wed, 18 Feb 2004 08:57:40 -0000
Errors-To: owner-nanog-outgoing@merit.edu
> >I am looking for ideas to stop the spam created by compromised =
Windows=20
> >PC's. This is not about the various worms and viruses replicating but =
> >these boxes acting as open relays or open proxies.
> >
> >There are valid reasons not to run antivirus software, coupled with=20
> >clueless users, this results in machines that SPAM again just a few =
hours=20
> >after having been cleaned.
>=20
> First step is correctly to specify the system's properties.
>=20
> Yours is not a technical issue but one of user negligence. You have
> to build the solution around this fact.
I don't agree with this. It's almost impossible to "secure" windows =
machines.=20
Even applying all patches as soon as they come out doesn't make sure you =
are "safe". Given, this applies to all operating systems, but the rate =
of windows=20
patches is sure to throw users into a state of "this is impossible to =
keep up".=20
I've seen machines become compromised even when fully patched only to=20
realize what happened when the next MS patch came out - just look at how =
long it took MS to fix the ASN.1 issue.
We can't continue to blame end users for negligence but also keep =
delivering=20
crappy software to them. Why not blame Microsoft? Why not blame =
legislation=20
for allowing vendors to deliver insecure applications and systems?
> Curative measures that have worked elsewhere are:
>=20
> 1-Scan every client when it accesses
What are you going to scan for? Specific ports or all ports? That's =
going=20
to take awhile and who knows what's going to happen to the guy on the=20
other line. Keep in mind that the current spam proxies do not listen on=20
fixed ports and they change quite often. While you scan the proxy app=20
may even move from an unscanned port to a scanned port. So a client=20
you though secure is not.
Rgsd,
-GSH
