On Wed, 19 Sep 2007, Rich Kulawiec wrote:
in the logs for days/weeks/months. This suggests to me that Cox is actually paying attention to abuse outbound from their network and is either disconnecting or quarantining hosts which emit it.
Its nice to see Cox getting some praise for a change. Last month people were castigating it for being too agressive at trying to block Bots. It seems like half the net is always criticizing ISPs for doing too little and half the net is always criticizing ISPs for doing too much. Cox blocks a lot of ports on its network (25, 80, 135-139, 445, 1900, 1433, 1434, 1900, subseven ports); blackholes networks and DNS names; firewall software that blocked sites with bad TCP software stacks such as Craigslist; and so on. Some people think Cox is being pro-active on the security front; other people think Cox is violating a sacred trust. ISPs are pretty much just damned. Why should an network user have to petition his or her ISP to authorize their use of a valid network protocol? Shouldn't application authorization occur at the application level instead of relying on the equivalent of .rlogin network-level checks. Companies like DynDNS show there is user demand to operate their own servers (including P2P servers, mail servers, web servers, dns servers, etc) on dynamic IP addresses without needing a special "static" IP address or different in-addr.arpa name. With Fast-Flux, it looks like the next network port that should be blocked on broadband/dialup connections is DNS tcp/udp 53.
or multiple of the above (as is the case most of the time), then it's very, very unlikely that refusal of the traffic constitutes a FP.
Until a false positive happens. I see 1-2 false positives a year using checks for "generic-looking" in-addr.arpa names; and a few more false positives for IP addresses without in-addr.arpa names. Nevertheless I still continue to use those checks because the false positive rate is below my pain threshold. But I don't pretend it never happens or may not be a concern to someone else. I also almost never get a valid e-mail to my postmaster account, just spam; but some people still think every mail server should accept mail to the postmaster account anyway no matter how rarely it gets legitimate email. They even set up RBLs of mail servers without postmaster accounts. Maybe we need a RBL of mail servers that don't accept mail from generic in-addr.arpa or dynamic IP addresses.