Douglas Otis wrote:
On Jun 19, 2007, at 8:35 AM, Suresh Ramasubramanian wrote:
On 6/19/07, Leigh Porter <[EMAIL PROTECTED]> wrote:
Agreed, SMTP is not really a special vector, other than it's obvious
commercial spam use. So just block all the usual virus vector ports,
block 25 and force people to use your own SMTP servers and the
problem [for] this particular one goes away..
No. the part of it you target (outbound spam) merely relocates
itself, and your smtp servers become huge spam sinks. Filter all you
want and you'll still leak spam unless you take those hosts down
And in the meantime those hosts will also be launching dos attacks,
hosting "fast flux" pills / warez / kiddy pr0n sites, carrying out id
/ card theft .. best to isolate and take them down.
You can port block at your edge till you burst and you'll still be in
a lot of hot water.
Web-site/browser vulnerabilities make ISP efforts largely futile.
Infection rates easily overwhelm aggressive automated detection and
wall-garden strategies. Nevertheless, blocking port 25 offers several
benefits even for this seemingly failing effort. Messages can be rate
limited, where delivery errors also provide direct clues as to which
system are likely infected.
Web related script vulnerabilities impact some of the largest online
email providers! In the zeal to enable advertising, customer accounts
are easily harvested. These accounts may also receive password
updates from other accounts, placing even critical financial
information at risk. Every compromised account is then able to
impersonate owners, utilize their address book and entice further
infections by offering malware related messages. The malware might
appear as seemingly harmless links or documents. Email is a vector
that must be watched carefully, however the greater danger is with
web/browser vulnerabilities.
Complacency permitting, and at times even promoting use of known
defective products must end. The era of combining scripts and active
code along with every piece of information conveyed must end. Unless
the Internet industry responds effectively, legislators will likely to
react in their own futile way.
Less is more. A document MUST NOT require active code to convey
information.
-Doug
This is a great point Doug. Port based vulns are, IMO, starting to
decline due to update of SP2 etc. There's still a lot there but in a few
years it will be quite low as hopefully most people will either filter
it or customers will have default on firewalls.
Browsers and dumb customers opening emails are where it's at now. The
only way to filter that is to look at ALL traffic using some horrid DPI
box or proxy or something.
life really sucks.
--
Leigh