Stopping open proxies and open relays
I am looking for ideas to stop the spam created by compromised Windows PC's. This is not about the various worms and viruses replicating but these boxes acting as open relays or open proxies. There are valid reasons not to run antivirus software, coupled with clueless users, this results in machines that SPAM again just a few hours after having been cleaned. Adi
Force all SMTP outbound connections from users thru a SMTP proxy. On that proxy, force users to do SMTP Authentication; I've heard only once of a spam code that will use the user's configuration info or dispatch e-mail thru them. Even if they do, you can rate-limit messages/hour, unique mail to/hour, disable mail service after a threshold, whatever sounds a good policy to you. Rubens ----- Original Message ----- From: "Adi Linden" <adil@adis.on.ca> To: <nanog@merit.edu> Sent: Saturday, February 07, 2004 2:43 AM Subject: Stopping open proxies and open relays
I am looking for ideas to stop the spam created by compromised Windows PC's. This is not about the various worms and viruses replicating but these boxes acting as open relays or open proxies.
There are valid reasons not to run antivirus software, coupled with clueless users, this results in machines that SPAM again just a few hours after having been cleaned.
Adi
At 12:00 AM 2/7/2004, Adi Linden wrote:
There are valid reasons not to run antivirus software,
And they are?
P90w/32MB running Win95 used for email only...
Odd... When that was a state of the art machine for which I paid $3k+ in 1995 (IRC) I used a CLI virus scanner and before I opened anything from a BBS or the Internet, I would scan it. AVAST, FSecure, Norton, McAfee, and all others with which I am familiar still have a CLI version too. If it is only used for email, they can probably wait a few seconds longer to access files. They are already waiting a long time to do anything with that computer. :)
or insufficient finances to purchase anti virus software... to name a couple.
Not a valid excuse/reason. www.avast.com - It is excellent AV software and it is completely FREE for non-commercial use. R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adi Linden wrote: |>>There are valid reasons not to run antivirus software, |> |>And they are? | | | P90w/32MB running Win95 used for email only... or insufficient finances | to purchase anti virus software... to name a couple. Products such as Clam-AV and Amavisd-new work very well together, are free, and have a very small CPU/memory footprint. Give them a try. Chris - -- Chris Horry "Winter is the season in which people zerbey@wibble.co.uk try to keep the house as warm as it was PGP: DSA/2B4C654E it was in the summer, when they complained Amateur Radio: KG4TSM about the heat" --Author Unknown -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAJHdfnAAeGCtMZU4RAjiKAJwPeWvuHOC4IL4L7kl+Kw3SnTSrhgCgqaMc Rjw24bMod0Dksezqr4G98sM= =Hv3K -----END PGP SIGNATURE-----
On Friday 06 February 2004 21:00, Adi Linden wrote:
There are valid reasons not to run antivirus software,
And they are?
P90w/32MB running Win95 used for email only... or insufficient finances to purchase anti virus software... to name a couple.
Not to be argumentative, but by that logic, I guess it is okay to drive my 1948 Ford which doesn't have brakes if I don't have the cash to fix it. It may be a reason, but not a valid reason. Intentionally running a computer in a manner which can do substantial damage to others is not an option. We run AV on our systems which are Linux based to insure that nothing goes thru our network which could harm others. -- Robin Lynn Frank | Director of Operations | Paradigm-Omega, LLC Email acceptance policy: http://paradigm-omega.com/email_policy.php
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Robin Lynn Frank Sent: February 7, 2004 12:29 AM To: nanog@merit.edu Subject: Re: Stopping open proxies and open relays
On Friday 06 February 2004 21:00, Adi Linden wrote:
There are valid reasons not to run antivirus software,
And they are?
P90w/32MB running Win95 used for email only... or insufficient finances to purchase anti virus software... to name a couple.
Not to be argumentative, but by that logic, I guess it is okay to drive my 1948 Ford which doesn't have brakes if I don't have the cash to fix it.
There's a big difference between the two. If you drive your 1948 Ford without brakes, the local law enforcement agency will make sure it's not in your interest to repeat the mistake a second time. If you leave your computer unsecured, well... realistically, no one is going to fine/jail/etc you whatever the law provides for driving an unfit vehicle. Now, if hooking up an unsecured computer to a network was punishable by a $1000 fine, and law enforcement somehow had the staff to prosecute all offenders (or a representative sample), I'm sure everybody would agree that suddenly they'd be able to afford antiviruses. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Not to be argumentative, but by that logic, I guess it is okay to drive my 1948 Ford which doesn't have brakes if I don't have the cash to fix it.
This is a matter of opinion. While this was my initial first thought, I can't agree with it. An old PC is by no means a threat to others. The invasive and unlawful actions of a third party is what turns the computer into a threat. I'd rather compare this with Canadian winter. It is so cold out that I have to start my vehicle and let it idle for a few minutes. This means an unattended vehicle with the key in the ignation. If the neighbours kid takes the vehicle and plays impersonates "Grand Theft Auto", who's responsible for the damage? As owner, at which point have I taken reasonable precautions against such an event? There are programs happening which refurbish and distribute retired corporate PC's to schools and other organizations. All of this equipment is as I described. There are an enormous number of PC's out there that match the situation I described... But that's all really not all that important to my question. What I really need is an easy to use solution to deal with the problem. Emphasis is on "easy to use" not necesarily easy to implement.
** Reply to message from Adi Linden <adil@adis.on.ca> on Fri, 6 Feb 2004 23:00:12 -0600 (CST)
There are valid reasons not to run antivirus software,
And they are?
P90w/32MB running Win95 used for email only... or insufficient finances to purchase anti virus software... to name a couple.
Adi
That's not a valid reason. That's an excuse. http://www.grisoft.com - AVG has a very nice free version for personal use. And they obviously have the means to afford an internet connection.... Next? -- Jeff Shultz Loose nut behind the wheel.
Robin Lynn Frank wrote:
On Friday 06 February 2004 20:43, Adi Linden wrote:
There are valid reasons not to run antivirus software,
And they are?
With the exception of my BBS (still running) and until 2 weeks ago I hadn't run any av software on my machines (now I run clamav via postfix to stop the stream of incoming crap in my inbox).... I've never needed to run any anti virus software. Funnily enough neither has my wife or son (age 9) they both know the golden rules. No disks from friends, no cover disks, and don't open any attachment unless you know what it is and who it's from. (and the other measure - linux runs on the desktops, so no LookOut Express) To date I haven't been infected with a virus (except when analysing a few, but that's another story). / Mat
----- Original Message ----- From: "Adi Linden" <adil@adis.on.ca> To: <nanog@merit.edu> Sent: Saturday, February 07, 2004 3:43 PM Subject: Stopping open proxies and open relays
I am looking for ideas to stop the spam created by compromised Windows PC's. This is not about the various worms and viruses replicating but these boxes acting as open relays or open proxies.
There are valid reasons not to run antivirus software, coupled with clueless users, this results in machines that SPAM again just a few hours after having been cleaned.
Optus in Australia have taken the line of blocking port 25 to anything at all excepting contact with their own servers. Seems to work. Some pissed off customers with their own smtp progs etc but my guess is that this would fit your bill. Greg.
Gregh wrote:
Optus in Australia have taken the line of blocking port 25 to anything at all excepting contact with their own servers. Seems to work. Some pissed off customers with their own smtp progs etc but my guess is that this would fit your bill.
Earthlink and many others have been doing this in the US for a long time. But, they don't require any "authorization" in sending, despite that being available built-in to NetScape/Mozilla for many years, and they don't seem to actually scan their outgoing email for virii and cut off the user. I'm not sure this is the answer. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
participants (10)
-
Adi Linden -
Chris Horry -
Gregh -
Jeff Shultz -
Matthew Sullivan -
Robert Boyle -
Robin Lynn Frank -
Rubens Kuhl Jr. -
Vivien M. -
William Allen Simpson