[97507] in North American Network Operators' Group
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Mon Jun 18 12:40:35 2007
Date: Mon, 18 Jun 2007 22:04:56 +0530
From: "Suresh Ramasubramanian" <ops.lists@gmail.com>
To: "Jack Bates" <jbates@brightok.net>
Cc: "Sean Donelan" <sean@donelan.com>, nanog@nanog.org
In-Reply-To: <4676B3BB.30005@brightok.net>
Errors-To: owner-nanog@merit.edu
On 6/18/07, Jack Bates <jbates@brightok.net> wrote:
> Joe also pointed out the biggest problem with blocking port 25; it pushes the
> abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to
So .. great. You have a huge spam problem that flew under your radar
as it was spread across multiple /24s or far larger netblocks, now
concentrated within far fewer servers that are part of the same
cluster. That kind of makes your job a bit easier then .. half full
glass v/s half empty glass, and all that.
> I'd rather monitor and filter traffic patterns on port 25 (and the various other
> ports that are also often spewing other things) than block it. It's not unusual
> to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025.
[...]
Which is what a lot of the kit Sean posted about does ..
srs
--
Suresh Ramasubramanian (ops.lists@gmail.com)
