North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)
- From: Suresh Ramasubramanian
- Date: Mon Jun 18 12:41:43 2007
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=q8dOFMpjieNp67KFJ0pCd/M5RGCfD+Mkf8toUaGJFBXGahcV83hDyZ11fm5GOupwZFdL3hiQh6lunPPfmEZqZHRFTiVu9WB9UT7wl5+ZUsZj6Z1jvBkJcDj02kNZCK4a74PJqtxX5Mf+BWmocrBMVeKx5pnLJ47YvhC96QmYRdM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EErRcLVLUFqadJjxvgovSzF1QLoRI/bUPYgWry+KEYWBevUKzy8vqo906rXbmOzSL8Y8BtFC23mix47+0kmAh27kVxT7y4weoUEqpzmIRVdI2DqNVUPNx80zSbxJ43y1dHuM9/r8+yxJO5iUn59XiThLc1YQt6g1ACSjf41cfYI=
On 6/18/07, Jack Bates <[email protected]> wrote:
Joe also pointed out the biggest problem with blocking port 25; it pushes the
abuse towards the smarthosts. This creates a lot of issues. Smarthosts have to
So .. great. You have a huge spam problem that flew under your radar
as it was spread across multiple /24s or far larger netblocks, now
concentrated within far fewer servers that are part of the same
cluster. That kind of makes your job a bit easier then .. half full
glass v/s half empty glass, and all that.
I'd rather monitor and filter traffic patterns on port 25 (and the various other
ports that are also often spewing other things) than block it. It's not unusual
to see tcp/25 spewing at the same time as udp/135 and tcp/445 or even tcp/1025.
Which is what a lot of the kit Sean posted about does ..
Suresh Ramasubramanian ([email protected])