[Mimedefang] FTC asks ISPs to crack down on zombie PCs

Ben Kamen bkamen at benjammin.net
Wed May 25 10:47:13 EDT 2005


Ian Mitchell wrote:
> 
> Personally, I'm highly opposed to blocking outbound port 25. There are
> some of us who don't have the resources to run a domain on a business
> class line. Second off, there are those of us who take security very
> seriously and work hard to ensure our micro domains don't become zombies.
> And third, one could use the argument that we should use hosting services.
> But I did use a hosting service when I first got started. And when I
> attempted to use Frontpage to modify my website one day, I realized that
> none of the 14,000 websites hosted by the provider were password
> protected. I can do better than that on my home PC.

I am opposed to blocking ANYTHING as well - but what can be done? The problem is 
MS at this point. The FTC really needs to start making them accountable for the 
crap they are putting out in the public domain. I'm not sure quite how to make a 
legal standing out of this...but I'm definitely not one for going after 
gun-makers when bad people use 'em to shoot good people.

On another note, I cancelled SBC because they started blocking protocol 50 
packets for my VPN. And I was on a static IP package which isn't supposed to 
have ANY filtering. We finally determined they changed something on their PPPoE 
servers that fudged my configuration that had been working perfectly for 13 
months. Their answer? Buy a new modem. (like it was now my problem when they 
figured out the problem was at their end)

My point being: I'm seeing this disturbing trend that can best be described as:

We (the ISPs) can't manage/run/maintain our networks for our everyday customers. 
So let's stick it to the folks who need more by offering "business class" 
service which will help pay for the people who are smarter than monkeys we have 
running the system now.

What "resources" do you need to run a domain on a business class line other than 
maybe one "slow" (by today's standards) linux box? Or are you talking about the 
screw'em factor the ISP's are engaging in now for "business class" service?


> So by cutting our port 25, we are now forced to limit which domains we can
> send email too. I have to add special rules to those specific domains that
> choose to deny my emails to forward through my ISP's MTA. The point of
> running an MTA is so you don't have to do that.

I'm one of those domains. I get hammered by Comcast, Verizon, SBC and others. I 
hate the concept of blocking port 25 too! (I was recently in St. Louis using the 
hotel's free wireless only that they block p:25 too. So I switched to 587 since 
I'm using an MSA anyway... but still, what's the point of advertising "internet 
access" when it really only means selected ports.)

I know one person who not only MTA's from behind an ISP with known spam 
problems, but he's tried to use a DynDNS provider who can't keep their 
secondaries in sync... what am I supposed to do with that??


> Only if the email presents itself as being from that domain, if someone's
> running a domain on an IP of that ISP, then that domain should have an SPF
> record that SHOULD allow the emails to go through. I advertise a hard SPF
> record for my domain, I allow email to only come from my IP. Unfortunately
> due to the rules that I have to set up for certian ISP's that limit port
> 25, I have to allow my ISP to act as a relay in the SPF record as well.
> Not my most ideal solution. But it's that kind of backwardness you get
> when people start breaking things ;)

Ok - again. We're talking about monkeys working for companies that want to 
charge an extra fee per month just to have a "custom" PTR record in DNS! Set 
once, charge many.

> As long as the current model for SMTP exists, spam will exist.
> 
> I visited a security seminar just a few weeks ago and they demo'd a
> product that would probably be pretty decent to look at for any ISP that's
> looking to set up an automatic quarintine mechanism. It's called ForeScout
> and the way it works is it monitors for very specific attack signatures
> (NMAP scan) and once it detects it, it launches it's own man in the middle
> attack. For the asset being protected, it sends RST packets to all out
> bound connections associated with the attack. For assets doing the
> attacking, it creates a honeynet and records all the traffic for forensic
> analysis later on. Definately a pretty decent tool, and it can definately
> assist in shutting down zombies.

And just think - all thanks to MS (well, mostly anyway).




  -Ben





More information about the MIMEDefang mailing list