[Mimedefang] FTC asks ISPs to crack down on zombie PCs

Kelsey Cummings kgc at sonic.net
Thu May 26 15:11:00 EDT 2005


On Thu, May 26, 2005 at 11:09:05AM -0700, Matthew.van.Eerde at hbinc.com wrote:
> Kelsey Cummings wrote:
> > On Thu, May 26, 2005 at 01:23:56PM -0400, James Ebright wrote:
> >>> Now, if 25 inbound was shut down...
> >> 
> >> Why would an ISP shutdown port 25 inbound?...
> > 
> > You must block port 25 in both directions to prevent 'triangular
> > routing attacks' from working.
> 
> What is a triangular routing attack?

Take host A, zombie B, and target C.

Host A is hosted on a high speed link with a spam-friendly or clueless ISP
that does not implement RPV and allows spoofed traffic to leave their
network.

A sources traffic usings B's IP address to C on port 25.
C sends ACKs to B from port 25, B forwards ACKs to A.

This allows the spammer to send spam out via fast links while only using
their zombie networks to process the ACKS.

Blocking traffic sent *from* port 25 into subscribers is as important as
blocking outbout port 25 traffic from them.  Of course, make sure your own
mail servers are allowed to send their responses.

-- 
Kelsey Cummings - kgc at sonic.net           sonic.net, inc.
System Architect                          2260 Apollo Way
707.522.1000 (Voice)                      Santa Rosa, CA 95407
707.547.2199 (Fax)                        http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79  8DB7 2B42 86B6 4E2C 3896



More information about the MIMEDefang mailing list