[97961] in North American Network Operators' Group
Re: DNS Hijacking by Cox
daemon@ATHENA.MIT.EDU (Steven Haigh)
Sun Jul 22 22:06:44 2007
Date: Mon, 23 Jul 2007 11:55:39 +1000
From: Steven Haigh <netwiz@crc.id.au>
To: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.64.0707222104470.20263@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
Quoting Sean Donelan <sean@donelan.com>:
> On Sun, 22 Jul 2007, William Allen Simpson wrote:
>> Comcast still blocks port 25. And last week, a locally well-known person
>> was blocked from sending outgoing port 25 email to their servers from her
>> home Comcast service.
>
> MSA port 587 is only 9 years old. I guess it takes some people longer
> than others to update their practices. Based on what I know how
> comcast's abuse systems implement their port 25 restrictions, I think
> it is extremely unlikely it was based on other people having her e-mail
> address in their Outlook programs.
Indeed. There's just not enough info to make anything but wild guesses =20
about this.
> Some people complain ISPs refuse to take action about abuse and
> compromised computers on their networks. On the other hand, people
> complain when ISPs take action about abuse and compromised computers on
> their networks. ISPs are pretty much damned if they do, and damned if
> they don't.
Gotta love the techie world :)
> Several ISPs have been redirecting malware using IRC to "cleaning"
> servers for a couple of years trying to respond to the massive number
> of bots. On occasion they pick up C&C server which also contains some
> "legitimate" uses. Trying to come up with a good cleaning message for
> each protocol can be a challenge.
I'm still unsure that this is either a good idea or a bad idea... =20
changing the DNS can only help until the bots start connecting =20
directly to IP addresses. Then where do we go? NAT those connections =20
to elsewhere? It's one of those lovely arms races where things just =20
get more and more invasive.
In the short term, it's a good thing - the amount of spam I get from =20
their network has halved - which is great - however in the long term, =20
the writers of this crudware will find another way to do business =20
(web? ftp?).
> Yes, false positives and false negatives are always an issue. People
> running sevaral famous block lists for spam and other abuse also made
> mistakes on occasion.
And these people have been flamed senseless. I like to think of it as =20
a case of the work the blocklists do is excellent and saves many a =20
network from being overrun by spam - however there is always =20
collateral damage from things like this. The good far outweighs the =20
bad however.
--=20
Steven Haigh
Email: netwiz@crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9017 0597 - 0404 087 474
