RE: Time to check the rate limits on your mail servers
I keep reading these articles and reports about this botnet and that botnet problem and how many user's pc's are infected. The only thing I don't see is a way to remove these bots! Not everyone knows how to even look at their machines for signs of these bots. Heck, I know most of my guys here don't even know how these bots work. It would be impossible to educate everybody but it's better to try than sitting around blocking this and that and not really solving the issue at hand. My .02 cents. ------------------------------------------------- Joel Perez | Network Engineer 305.914.3412 | Ntera ------------------------------------------------- -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Michael.Dillon@radianz.com Sent: Thursday, February 03, 2005 9:47 AM To: nanog@merit.edu Subject: Re: Time to check the rate limits on your mail servers
Do you let your customers send an unlimited number of emails per day? Per hour? Per minute? If so, then why?
Doing that - especially now when this article has hit the popular press and there's going to be lots more people doing the same thing - is going to be equivalent of hanging out a "block my email" sign.
I don't understand your comment. This is an arms race. The spammers and botnet builders are attempting to make their bots use the exact same email transmission channels as your customers' email clients. They are getting better at doing this as time goes on. I think we are at the point where the technical expertise of the botnet builders is greater than the technical expertise of most people working in email operations. We cannot win this battle by continuing to attempt to trump their technical abilities. However, if we shift the battleground to a location where network operators have the upper hand, we can do better. And that's why I suggest that people should start looking at email volume controls. The vast majority of individual users only send a small number of emails over a given time period whether you measure that time period in minutes, hours or days. SPAM is a form of DDoS against the Internet's email architecture. Rate limiting has proven to be an effective way of mitigating DDoS because it strikes at the very core of the DoS methodology. Why not deploy this strategy against email? Please note that I am not suggesting that this is a way to "solve" the SPAM problem. First of all, I do not agree that there is a SPAM problem. The fundamental problem is that the Internet email architecture is flawed. SPAM is merely a symptom of those flaws. If we fix the architecture, then nobody will care about SPAM. As you can see, two separate problems are becoming intertwingled here. In the past we had viruses, DDoS, botnets, SPAM, phishing. But now, all of these things are merging and evolving together. And secondly, I'm only pointing out that there are reasons for people to start thinking about rate limiting email on their networks. I'm suggesting that people should be asking questions. I don't think it is wise to run out and slap rate limits on mail infrastructure without thinking through the implications. --Michael Dillon
Hi!
The only thing I don't see is a way to remove these bots! Not everyone knows how to even look at their machines for signs of these bots. Heck, I know most of my guys here don't even know how these bots work.
For a compromised system, insert CD, reinstall!
It would be impossible to educate everybody but it's better to try than sitting around blocking this and that and not really solving the issue at hand.
My .02 cents.
If a pro cannot clean it out safely, then i cannot imagine our typical homeuser would be able to... and with some luck he installs a firewall and antivirus next time, after reinstalling his system for the 4th or 5th time. Bye, Raymond.
If a pro cannot clean it out safely, then i cannot imagine our typical homeuser would be able to... and with some luck he installs a firewall and antivirus next time, after reinstalling his system for the 4th or 5th time.
You may want to check out some AT (Anti-Trojan) software such as The Cleaner and BOclean. Gadi.
Hi!
If a pro cannot clean it out safely, then i cannot imagine our typical homeuser would be able to... and with some luck he installs a firewall and antivirus next time, after reinstalling his system for the 4th or 5th time.
You may want to check out some AT (Anti-Trojan) software such as The Cleaner and BOclean.
You will never be sure you have picked up all, only the known ones. For a compromised system, unless running tripwire or something, reinstall! Its a nice start, but it also tell people i am safe, and they dont know for sure. Seeing our abuse department getting tickets over and over about the same customers its a fact that they just simple are not able to clean it out easilly. Then its better to instert foot (CD) and start all over. Bye, Raymond
You will never be sure you have picked up all, only the known ones. For a compromised system, unless running tripwire or something, reinstall!
You can never be sure, that's why it's a backdoor/Trojan horse.
Its a nice start, but it also tell people i am safe, and they dont know
Yes, it is. AV products have not taken Trojan horses seriously for years, and called them "garbage" samples. Now they start to change that due to almost any sample out there being also a Trojan horse, but not drastically enough
for sure. Seeing our abuse department getting tickets over and over about the same customers its a fact that they just simple are not able to clean it out easilly. Then its better to instert foot (CD) and start all over.
Then using AT programs is a good start. A clean slate is always better, but your grandma won't agree. Gadi.
On Thu, Feb 03, 2005 at 05:29:15PM +0200, Gadi Evron wrote:
You will never be sure you have picked up all, only the known ones. For a compromised system, unless running tripwire or something, reinstall!
You can never be sure, that's why it's a backdoor/Trojan horse.
Its a nice start, but it also tell people i am safe, and they dont know
Yes, it is. AV products have not taken Trojan horses seriously for years, and called them "garbage" samples. Now they start to change that due to almost any sample out there being also a Trojan horse, but not drastically enough
for sure. Seeing our abuse department getting tickets over and over about the same customers its a fact that they just simple are not able to clean it out easilly. Then its better to instert foot (CD) and start all over.
Then using AT programs is a good start. A clean slate is always better, but your grandma won't agree.
Unfortunately, starting over in some operating systems means re-installing EVERYTHING, and since applications tend to get installed over time, the installation media for each and every app may not be available. Backups are not very useful, because just placing the executables and the work product/data files in the right place will not work in some Windows systems if the proper registry entries are not there. Also, if you reinstall in the wrong order you can wind up in DLL hell.
Gadi.
-- -=[L]=-
On Thu, 03 Feb 2005 16:07:10 +0100, Raymond Dijkxhoorn said:
The only thing I don't see is a way to remove these bots! Not everyone knows how to even look at their machines for signs of these bots. Heck, I know most of my guys here don't even know how these bots work.
For a compromised system, insert CD, reinstall!
BZZT! But thank you for playing. Don't *RE*-install. If you got whacked by a bot on Monday, and re-install Sunday's configuration of software on Tuesday, all that means is that Wednesday you'll get re-whacked. Lather, rinse, repeat. Install *SOMETHING ELSE*. Something less vulnerable to all this manure. (I'll mention the *other* alternative, replacing/upgrading the user, mostly for completeness and so we can all have a good chuckle)
on Thu, Feb 03, 2005 at 04:07:10PM +0100, Raymond Dijkxhoorn wrote:
The only thing I don't see is a way to remove these bots! Not everyone knows how to even look at their machines for signs of these bots. Heck, I know most of my guys here don't even know how these bots work.
For a compromised system, insert CD, reinstall!
...which simply reinstalls the old vulnerabilities that made the machine suspectible to compromise in the first place. If you can't patch up from the buggy baseline in time, reinstalling from original media is often the worst thing you can do, if the machine is still connected to the network. And if the machine is NOT connected to the network, it is often not possible to get the security updates downloaded that patch the vulnerabilities. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
Joel Perez wrote:
I keep reading these articles and reports about this botnet and that botnet problem and how many user's pc's are infected. The only thing I don't see is a way to remove these bots! Not everyone knows how to even look at their machines for signs of these bots. Heck, I know most of my guys here don't even know how these bots work.
It would be impossible to educate everybody but it's better to try than sitting around blocking this and that and not really solving the issue at hand.
That again. Thats not an operational problem. Thats a help desk issue. Operational is mail-ops nailing these infected people and net-ops cutting them off at the knees and yanking their connectivity. This is exactly the direction we want things to be heading.
On Thu, 3 Feb 2005, Joel Perez wrote: I keep reading these articles and reports about this botnet and that botnet problem and how many user's pc's are infected. The only thing I don't see is a way to remove these bots! http://www.sun.com/software/javadesktopsystem/features.xml http://www.apple.com/macosx/ matto --matt@snark.net------------------------------------------<darwin>< The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
participants (8)
-
Gadi Evron -
Joe Maimon -
Joel Perez -
just me -
Lou Katz -
Raymond Dijkxhoorn -
Steven Champeon -
Valdis.Kletnieks@vt.edu