[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MS mail bombs

On Sat, 20 Sep 2003 21:07:58 -0500
Ron Johnson <ron.l.johnson@cox.net> wrote:
> On Sat, 2003-09-20 at 18:45, Steve Lamb wrote:
> > On Sat, 20 Sep 2003 16:25:29 -0500
> > Ron Johnson <ron.l.johnson@cox.net> wrote:
> > > On Sat, 2003-09-20 at 15:47, Steve Lamb wrote:
> > > > On Sat, 20 Sep 2003 15:43:12 -0500
> > > > Ron Johnson <ron.l.johnson@cox.net> wrote:
> > > > > And *even if I did run my own mail server*, all of the virus/spam-
> > > > > filled packets would *still* have to be sent down to me.
  
> > > >     'cept for blacklisting at the firewall.
  
> > > No, since the firewall is on *my* side of the pipe.
 
> >     And how, exactly, do they even initiate an SMTP session if they cannot
> > connect to you... period?  I dare say that a dropped connection is far
> > less, byte wise, than a 130k attachment.  Wouldn't you?
 
> Ok, I'm confused.  Who is the "they" in "do they even initiate"?

    Yes.  You'd forgotten that you had written "even if I did run my own mail
server" up there.
 
> To my knowledge, nobody initiates SMTP sessions with me.  My MUA
> initiates POP3 (to my ISP's pop server) to fetch incoming email, 
> and initiates SMTP (to my ISP's smtp server) to send outgoing email.

    Which isn't what I was responding to.  I pointed out that if you ran your
own mail server, no, not all the data need be sent since one can firewall the
infected IPs to prevent future bombings.  On average I'm getting 3-4 hits per
IP.  So if, as you say, you ran your own mail server and you firewalled them
after the first hit then subsequent hits would not impact your connection a
great deal.

    However as you don't run your own mail server the point, for you, is moot.
As some people here *do* run their own mail server the point, for them, is
valid.  

    My only wish is that I knew exiscan-acl well enough to figure out if I
could have a custom script run upon a positive hit.  In doing so have the
infected IP automatically added to Shorewall's blacklist.  It would also
maintain a DB of when certain IPs were placed on the blacklist and
automatically remove them after a configured time frame (a week, a month?) had
gone by.  This would offer protection against known infected hosts but would
remove the block when the immediate danger was past and after a reasonable
time for the person to clean up their machine.

-- 
         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
       PGP Key: 8B6E99C5       | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------

Attachment: pgpm3fTiJAh4N.pgp
Description: PGP signature

Reply to: