[Mimedefang] FTC asks ISPs to crack down on zombie PCs
Kelsey Cummings
kgc at sonic.net
Thu May 26 15:11:00 EDT 2005
On Thu, May 26, 2005 at 11:09:05AM -0700, Matthew.van.Eerde at hbinc.com wrote:
> Kelsey Cummings wrote:
> > On Thu, May 26, 2005 at 01:23:56PM -0400, James Ebright wrote:
> >>> Now, if 25 inbound was shut down...
> >>
> >> Why would an ISP shutdown port 25 inbound?...
> >
> > You must block port 25 in both directions to prevent 'triangular
> > routing attacks' from working.
>
> What is a triangular routing attack?
Take host A, zombie B, and target C.
Host A is hosted on a high speed link with a spam-friendly or clueless ISP
that does not implement RPV and allows spoofed traffic to leave their
network.
A sources traffic usings B's IP address to C on port 25.
C sends ACKs to B from port 25, B forwards ACKs to A.
This allows the spammer to send spam out via fast links while only using
their zombie networks to process the ACKS.
Blocking traffic sent *from* port 25 into subscribers is as important as
blocking outbout port 25 traffic from them. Of course, make sure your own
mail servers are allowed to send their responses.
--
Kelsey Cummings - kgc at sonic.net sonic.net, inc.
System Architect 2260 Apollo Way
707.522.1000 (Voice) Santa Rosa, CA 95407
707.547.2199 (Fax) http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896
More information about the MIMEDefang
mailing list