On Mon, 27 Oct 2003 10:25:36 -0500 (EST), you wrote:
... As a non-ISP consultant, when a client asks you to configure their Exchange server do you always conduct a top-to-bottom security analysis of the client's entire business infrastructure and refuse to do business with them until after they have corrected every deficiency? Or does the client just say screw you, and hires a different consultant that will do what the client wants? ...
I said "low hanging fruit". I didn't say "top-to-bottom security analysis".
...
3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively.
Does NOBODY remember that thread?
Again, look the postal mail system. One proposal required everyone mail letters in person at the post office, and show id to the postal clerk.
Straw dogs... come on! It's like saying we can't take drastic, inappropriate measures, so we can't take any at all.
... ISPs are doing a lot to protect end-users. Some examples include
Education campaigns Free anti-virus software Free personal firewall software Port filters (port 80 anyone?) Notification of compromised systems Incident Response Intrusion Detection/Intrusion Prevention Managed Security Services
And if all ISPs were doing all these thing (as you try to imply) we'd all be a lot better off, wouldn't we?
Unfortunately some of the argument is a bit like the old cries for public payphone companies were responsible for the drug dealers in poor neighborhoods. So they removed public payphones. The drug dealing problem wasn't solved.
"A strong conviction that something must be done is the parent of many bad measures." -- Daniel Webster So, am I advocating bad measures? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw@kmsi.net www.kmsi.net