[Mimedefang] FTC asks ISPs to crack down on zombie PCs

Wed May 25 09:51:18 EDT 2005

> Date: Wed, 25 May 2005 09:03:31 -0400
> From: "James Ebright" <jebright at esisnet.com>
> Subject: Re: [Mimedefang] FTC asks ISPs to crack down on zombie PCs
>
> On Tue, 24 May 2005 14:17:54 -0700, Matthew.van.Eerde wrote
>
>>     * blocking a common Internet port used for e-mail when possible;
>>     * providing plain-language information for customers on how to keep
>>       their home computers secure; and

Personally, I'm highly opposed to blocking outbound port 25. There are
some of us who don't have the resources to run a domain on a business
class line. Second off, there are those of us who take security very
seriously and work hard to ensure our micro domains don't become zombies.
And third, one could use the argument that we should use hosting services.
But I did use a hosting service when I first got started. And when I
attempted to use Frontpage to modify my website one day, I realized that
none of the 14,000 websites hosted by the provider were password
protected. I can do better than that on my home PC.

So by cutting our port 25, we are now forced to limit which domains we can
send email too. I have to add special rules to those specific domains that
choose to deny my emails to forward through my ISP's MTA. The point of
running an MTA is so you don't have to do that.

> * block outbound port 25 except for designated MTAs. Define a SPF record
> for
> said MTAs. Implement SMTP Auth.

Only if the email presents itself as being from that domain, if someone's
running a domain on an IP of that ISP, then that domain should have an SPF
record that SHOULD allow the emails to go through. I advertise a hard SPF
record for my domain, I allow email to only come from my IP. Unfortunately
due to the rules that I have to set up for certian ISP's that limit port
25, I have to allow my ISP to act as a relay in the SPF record as well.
Not my most ideal solution. But it's that kind of backwardness you get
when people start breaking things ;)

> The other repurcusion, probably an unavoidable one in the long term
> anyway, is
> zombies will now be created that can hijack a users mailsettings and
> credentials to then relay mail, which will improve the spam message
> structure
> considerably as well since many MTAs correct things that ratware normally
> foobars and as a result will remove many of the footprints things like SA
> look
> for.

As long as the current model for SMTP exists, spam will exist.

I visited a security seminar just a few weeks ago and they demo'd a
product that would probably be pretty decent to look at for any ISP that's
looking to set up an automatic quarintine mechanism. It's called ForeScout
and the way it works is it monitors for very specific attack signatures
(NMAP scan) and once it detects it, it launches it's own man in the middle
attack. For the asset being protected, it sends RST packets to all out
bound connections associated with the attack. For assets doing the
attacking, it creates a honeynet and records all the traffic for forensic
analysis later on. Definately a pretty decent tool, and it can definately
assist in shutting down zombies.

I personally am opposed to any device that "attacks" but apparently
there's a non-existant false positive rate and the idea seems pretty
solid.