[97515] in North American Network Operators' Group
Re: Quarantining infected hosts (Was: FBI tells the public to call
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Jun 19 10:04:37 2007
Date: Tue, 19 Jun 2007 09:03:29 -0500
From: Jack Bates <jbates@brightok.net>
To: James Hess <mysidia@gmail.com>
Cc: nanog@nanog.org
In-Reply-To: <6eb799ab0706181923w27f51b51w7ff7e049b17b020b@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
James Hess wrote:
> Preventing hosts from just SMTP'ing out just anywhere they like
> creates a new hurdle
> for any infection to get over to spread; now any malware suddenly
> needs to figure out a
> SMTP server to use, and a username and password to use with SMTP
> authentication,
> and any other restrictions imposed by the ISP outgoing MTA.
>
This sounds great, except it doesn't scale. My router says there is no
noticeable difference between tcp/25 and tcp/445, or udp/134 or udp/1434 or
tcp/1025, or tcp/80. It asked if we should just block all ports and force people
through proxy servers. Why mitigate one vector when you can take them all out?
What makes SMTP so special a vector?
Yes, my router speaks. Yours doesn't?
Jack
