Re: The worst abuse e-mail ever, sverige.net
Blocking just hides it. I used to believe in port blocking as the solution to many user problems but now I have 3 and 4 page ACL's on my border routers. This does not scale. Yes, I could push this out via radius to the NAS but again this does not solve the problem.
The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic from the users going to dark space and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy.
Our system is similar, except we block port 25 completely via RADIUS after we detect an outgoing virus or spam, then notify the customer. This eliminates the ACL's on the border routers. The user can still surf freely to download patches while not causing further damage. Some users just don't want to be bothered and just use webmail to send E-mail and keep the block forever.
hackerwacker@cybermesa.com:
The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic
Umm ... you mean you wire-tap all "my" email messages? (Anyone still wonders why I don't trust my ISP?) I wonder if my Teclo listens in on all my telephone conversations too? And the post office! My letters? (Oops, sorry, shouldn't make analogies. ;-)
from the users going to dark space
Umm ... please define "dark space".
and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy.
Mmm. User privacy in its glory? niceman@att.net:
Our system is similar, except we block port 25 completely via RADIUS after we detect an outgoing virus or spam,
Detect how?
then notify the customer. This eliminates the ACL's on the border routers. The user can still surf freely to download patches while not causing further damage. Some users just don't want to be bothered and just use webmail to send E-mail and keep the block forever.
This latter part is OK. It opens up a way out for those who want to, and a different service for those who don't. Cheers, /Liman
Our system is similar, except we block port 25 completely via RADIUS after we detect an outgoing virus or spam,
Detect how?
We don't sniff traffic for suspicious signatures at this point. Viruses are eventually caught by the assumption that "send to everyone in the address book" eventually will hit an address on the same mail server. Quarantined viruses are categorized by local user and IP address to identify the sender from RADIUS accounting records. Spam is based only on reports - those Spamcop reports are acted on by some people!
hackerwacker@cybermesa.com:
The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic
Umm ... you mean you wire-tap all "my" email messages? (Anyone still wonders why I don't trust my ISP?)
I wonder if my Teclo listens in on all my telephone conversations too? And the post office! My letters?
Chill out. I am just collecting source and destination IP pairs, that is all I record.
(Oops, sorry, shouldn't make analogies. ;-)
from the users going to dark space
Umm ... please define "dark space".
See either the posts Paul Vixie or Rob Thomas on this. james
participants (3)
-
james edwards -
Lars-Johan Liman -
Mike Nice