RE: Wired mag article on spammers playing traceroute games with trojaned boxes
Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin tests (WEIRD_PORT) for this, as do many other filtering packages. Forcing spammers to use non-standard ports will greatly increase their rate of detection, and in turn help to solve the spam problem. -Mike -----Original Message----- From: jlewis@lewis.org [mailto:jlewis@lewis.org] Sent: Thursday, October 09, 2003 9:56 AM To: Joe Boyce Cc: nanog@merit.edu Subject: Re: Wired mag article on spammers playing traceroute games with trojaned boxes On Thu, 9 Oct 2003, Joe Boyce wrote:
VA> Personally, I think preventing residential broadband customers from hosting VA> servers would limit a lot of that. I'm not saying that IS the solution.
It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites.
That's obviously the case. No spammer has "thousands" of legitimately purchased DSL/Cable connections. The article pretty clearly says they're exploiting insecure windows (isn't that redundant?) boxes. Trouble is, how do you stop this? Just blocking common ports like 80 by default (unless the customer plans to actually run a web server and asks for the filter to be removed) won't work. The spammers can just as easily spam with urls containing ports (http://blah.biz:8290/) if they find 80 is filtered or find that filtering has become common. So other than waiting some infinitely long time for a secure out of the box version of windows (and for everyone to upgrade), how do you stop this? Widespread deployment of reflexive access lists? Force all broadband customers to use NAT and let them forward ports or entire IPs to their private IP servers if they have any? Wait for the legal system to catch and prosecute a few people who do this and deter others from trying it? Convince registrars to kill domains that are clearly being used by thieves? ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin tests (WEIRD_PORT) for this, as do many other filtering packages. Forcing spammers to use non-standard ports will greatly increase their rate of detection, and in turn help to solve the spam problem. -Mike
*sigh* Unfortunately, due to the evils of Code Red, Nimda, and other worms out in the wild, I've ended up moving our personal web servers off port 80, just so the logs don't fill up with useless probes from infected boxes. So in the ever-escalating war against spam, this means when I mail out to my friends telling them the correct URL for my site (including the port), I now have to worry about those messages being improperly tagged as spam, due to the inclusion of URLs that reference specific port numbers. We seem to be slowly transforming the network into more and more just a network of port 80 boxes. :( Perhaps the Internet really is going to end up being just the Web, not through evil intervention, but by our own well-intentioned efforts. Matt (starting to feel more and more like a Star Trek redshirt frantically rotating shield frequencies to try to stay one step ahead of the attacking aliens...)
At 03:00 PM 10/9/2003, matt@petach.org wrote:
We seem to be slowly transforming the network into more and more just a network of port 80 boxes. :( Perhaps the Internet really is going to end up being just the Web, not through evil intervention, but by our own well-intentioned efforts.
I imagine port 25 will still be active...
participants (3)
-
Fred Baker
-
matt@petach.org
-
Mike Damm