[97506] in North American Network Operators' Group
Re: Quarantining infected hosts (Was: FBI tells the public to call
daemon@ATHENA.MIT.EDU (Jack Bates)
Mon Jun 18 12:34:02 2007
Date: Mon, 18 Jun 2007 11:32:59 -0500
From: Jack Bates <jbates@brightok.net>
To: Suresh Ramasubramanian <ops.lists@gmail.com>
Cc: Sean Donelan <sean@donelan.com>, nanog@nanog.org
In-Reply-To: <bb0e440a0706180822g4f0dd85ax59d65afe33c8fe7a@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
Suresh Ramasubramanian wrote:
> MAAWG's port 25 management document is kind of based on consensus. Joe
> is a senior tech advisor at MAAWG. contributed substantially to that
> document .. and those two presentations were made at a maawg (san
> diego in 2005 if I remember right) so ..
>
Joe also pointed out the biggest problem with blocking port 25; it pushes the
abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to
be regulated more closely. Support must be increased to deal with customers that
have legitimate large scale outbound needs and will need smarthost restrictions
lifted. A certain amount of spam leakage must be expected out of the smarthost,
but most recipients won't know or take the time to tell the difference. This
leads to more blocking of the smarthosts, which causes more issues for a larger
number of customers.
I'd rather monitor and filter traffic patterns on port 25 (and the various other
ports that are also often spewing other things) than block it. It's not unusual
to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025.
A detection of both network scans and correlating inbound connections to
outbound tcp/25 leads to a lot of good proactive automation. Spam abuse may be
the most publicly annoying use of trojans/bots, but it's probably the least
destructive use (debatable).
Jack
