Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 11:45:38 +1300, Pulu wrote in message <[EMAIL PROTECTED]>: > To kind of get back to the ISP world a little bit, has anyone used > this in the way that's being recommended? (Using the OS Fingerprint > Netfilter patch to block Windows machines sending to port 25). ..and then trap them in a tarpit server outside your current gateway? I see no reason to let spammers tie up ip_conntrack entries, they should be sunk in a tarpit. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 11:45:38 +1300, Pulu wrote in message <[EMAIL PROTECTED]>: > To kind of get back to the ISP world a little bit, has anyone used > this in the way that's being recommended? (Using the OS Fingerprint > Netfilter patch to block Windows machines sending to port 25). ..and then trap them in a tarpit server outside your current gateway? I see no reason to let spammers tie up ip_conntrack entries, they should be sunk in a tarpit. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
- Original Message - From: "Russell Coker" <[EMAIL PROTECTED]> To: Cc: "Pulu 'Anau" <[EMAIL PROTECTED]> Sent: Saturday, April 10, 2004 3:12 PM Subject: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?) > For NT (XP etc) you could allow every fourth day for receiving mail. Mail is > generally queued for four days before being bounced, so if you only accept > mail from NT machines every fourth day then you lose 75% of the spam and > viruses because spam proxies and viruses generally don't re-try. Legit mail > servers will keep trying until you let them through. > > Avoiding 75% of the spam and viruses isn't a solution to the problem, but > it's > a good start... > Have a look at http://www.greylisting.org/ and you could avoid much more spam while reducing false positives to nearly zero! Christian
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 08:45, Pulu 'Anau <[EMAIL PROTECTED]> wrote: > To kind of get back to the ISP world a little bit, has anyone used this in > the way that's being recommended? (Using the OS Fingerprint Netfilter > patch to block Windows machines sending to port 25). > > We're currently getting slammed by Windows viruses and have thought about > doing exactly that, but it seemed to us that there are enough people using > Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) > that doing this would block legitimate mail almost instantly. Is there any legit mail server software for Win98? If not then you can permanently block it. For NT (XP etc) you could allow every fourth day for receiving mail. Mail is generally queued for four days before being bounced, so if you only accept mail from NT machines every fourth day then you lose 75% of the spam and viruses because spam proxies and viruses generally don't re-try. Legit mail servers will keep trying until you let them through. Avoiding 75% of the spam and viruses isn't a solution to the problem, but it's a good start... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
- Original Message - From: "Russell Coker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Pulu 'Anau" <[EMAIL PROTECTED]> Sent: Saturday, April 10, 2004 3:12 PM Subject: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?) > For NT (XP etc) you could allow every fourth day for receiving mail. Mail is > generally queued for four days before being bounced, so if you only accept > mail from NT machines every fourth day then you lose 75% of the spam and > viruses because spam proxies and viruses generally don't re-try. Legit mail > servers will keep trying until you let them through. > > Avoiding 75% of the spam and viruses isn't a solution to the problem, but it's > a good start... > Have a look at http://www.greylisting.org/ and you could avoid much more spam while reducing false positives to nearly zero! Christian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 08:45, Pulu 'Anau <[EMAIL PROTECTED]> wrote: > To kind of get back to the ISP world a little bit, has anyone used this in > the way that's being recommended? (Using the OS Fingerprint Netfilter > patch to block Windows machines sending to port 25). > > We're currently getting slammed by Windows viruses and have thought about > doing exactly that, but it seemed to us that there are enough people using > Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) > that doing this would block legitimate mail almost instantly. Is there any legit mail server software for Win98? If not then you can permanently block it. For NT (XP etc) you could allow every fourth day for receiving mail. Mail is generally queued for four days before being bounced, so if you only accept mail from NT machines every fourth day then you lose 75% of the spam and viruses because spam proxies and viruses generally don't re-try. Legit mail servers will keep trying until you let them through. Avoiding 75% of the spam and viruses isn't a solution to the problem, but it's a good start... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi, you shouldn't try to block everything that comes from a host which has no open smtp port, this is in generel a bad idea... reason: there are a lot (and I mean a lot) of servers out there, which only sends mail out to the world, but should never recieve any mail directly, so that it is okay to bind the smtpd only to localhost or to a internal lan interface. Often there are other servers which recieves the mail for these kind of setups... The better way is to check against a real blacklist which has entries for dial-up networks and maybe for dns-names without any MX or A entry... for example spamassassin asks a lot of real blacklists and so it also checks these things: example for checks against RBLs (sorry, it's a german system, but I will translate): - NO_DNS_FOR_FROM: Domain der Absendeadresse nicht im DNS registriert (kein MX/A Eintrag) / Domain of the sendingaddress has no dns entry (no mx/a record) - RCVD_IN_NJABL_DIALUP RBL: NJABL: Senderechner nur temporär mit Internet verbunden [XXX.XXX.XXX.XXX listed in dnsbl.njabl.org] / Sending host is only connected to the internet temporary (dial up) and so on So in my opinion it's better to check against such lists than simply block all mail that comes from a system without open smtp... --Ralph Am Samstag 10 April 2004 01:18 schrieb Andreas John: > Hi! > > Dave Watkins wrote: > > If I remember right (and someone correct me if I'm wrong) a mail server > > doesn't have to have an MX record. If no MX record exists then the > > sending server drops back to normal host records and this is perfectly > > legitimate. So the MX record checking may not work so well > > Dave, your theory is right, you don't have to have an MX record in your > DNS zone in order to receive mail, but Pulu wants to "tcpping", so his > idea is to check if there is an open port 25, i.e. check if the sending > server is an mailserver. This would not be the case with infected > outlooks ;) but also not for hosts behind NAT FW. > @Pulu: Is that your idea? > > The problem is more that a sending host has not neccessarily to be an > receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp > (submission et al?) > > In Germany several large scale ISPs began to block all mail comming > directly from an dialup ip, so I think it would be an accepted way to > try what Pulu wants to do. > > Rgds, > j. > > > > > -- > Andreas John > net-lab GmbH > Luisenstrasse 30b > 63067 Offenbach > Tel: +49 69 85700331 > > http://www.net-lab.net
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi, you shouldn't try to block everything that comes from a host which has no open smtp port, this is in generel a bad idea... reason: there are a lot (and I mean a lot) of servers out there, which only sends mail out to the world, but should never recieve any mail directly, so that it is okay to bind the smtpd only to localhost or to a internal lan interface. Often there are other servers which recieves the mail for these kind of setups... The better way is to check against a real blacklist which has entries for dial-up networks and maybe for dns-names without any MX or A entry... for example spamassassin asks a lot of real blacklists and so it also checks these things: example for checks against RBLs (sorry, it's a german system, but I will translate): - NO_DNS_FOR_FROM: Domain der Absendeadresse nicht im DNS registriert (kein MX/A Eintrag) / Domain of the sendingaddress has no dns entry (no mx/a record) - RCVD_IN_NJABL_DIALUP RBL: NJABL: Senderechner nur temporär mit Internet verbunden [XXX.XXX.XXX.XXX listed in dnsbl.njabl.org] / Sending host is only connected to the internet temporary (dial up) and so on So in my opinion it's better to check against such lists than simply block all mail that comes from a system without open smtp... --Ralph Am Samstag 10 April 2004 01:18 schrieb Andreas John: > Hi! > > Dave Watkins wrote: > > If I remember right (and someone correct me if I'm wrong) a mail server > > doesn't have to have an MX record. If no MX record exists then the > > sending server drops back to normal host records and this is perfectly > > legitimate. So the MX record checking may not work so well > > Dave, your theory is right, you don't have to have an MX record in your > DNS zone in order to receive mail, but Pulu wants to "tcpping", so his > idea is to check if there is an open port 25, i.e. check if the sending > server is an mailserver. This would not be the case with infected > outlooks ;) but also not for hosts behind NAT FW. > @Pulu: Is that your idea? > > The problem is more that a sending host has not neccessarily to be an > receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp > (submission et al?) > > In Germany several large scale ISPs began to block all mail comming > directly from an dialup ip, so I think it would be an accepted way to > try what Pulu wants to do. > > Rgds, > j. > > > > > -- > Andreas John > net-lab GmbH > Luisenstrasse 30b > 63067 Offenbach > Tel: +49 69 85700331 > > http://www.net-lab.net
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi! Dave Watkins wrote: If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Dave, your theory is right, you don't have to have an MX record in your DNS zone in order to receive mail, but Pulu wants to "tcpping", so his idea is to check if there is an open port 25, i.e. check if the sending server is an mailserver. This would not be the case with infected outlooks ;) but also not for hosts behind NAT FW. @Pulu: Is that your idea? The problem is more that a sending host has not neccessarily to be an receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp (submission et al?) In Germany several large scale ISPs began to block all mail comming directly from an dialup ip, so I think it would be an accepted way to try what Pulu wants to do. Rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Pulu 'Anau wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker <[EMAIL PROTECTED]>: On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message http://www.netfilter.org/patch-o-matic/pom-base.html See the section on "osf" in the above URL for a better solution. Simply block Windows machines from accessing your port 25. ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to
OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker <[EMAIL PROTECTED]>: > On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message > > > http://www.netfilter.org/patch-o-matic/pom-base.html > > > > > > See the section on "osf" in the above URL for a better solution. > > > Simply block Windows machines from accessing your port 25. > > > > ..if only all isp's did it... > > Not all ISPs need to do it. Only your ISP and the ISPs that host mailing > lists that you subscribe to. > > If you are interested in this then the best thing you can do is to build > yourself a kernel with osf and try it out. If it works well create a Debian > > kernel-patch package for it so that other Debian users can conveniently use > > it. The more accessible you make this to Debian people the closer it comes > > to being installed on Debian list servers... > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi! Dave Watkins wrote: If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Dave, your theory is right, you don't have to have an MX record in your DNS zone in order to receive mail, but Pulu wants to "tcpping", so his idea is to check if there is an open port 25, i.e. check if the sending server is an mailserver. This would not be the case with infected outlooks ;) but also not for hosts behind NAT FW. @Pulu: Is that your idea? The problem is more that a sending host has not neccessarily to be an receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp (submission et al?) In Germany several large scale ISPs began to block all mail comming directly from an dialup ip, so I think it would be an accepted way to try what Pulu wants to do. Rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Pulu 'Anau wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker <[EMAIL PROTECTED]>: On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message http://www.netfilter.org/patch-o-matic/pom-base.html See the section on "osf" in the above URL for a better solution. Simply block Windows machines from accessing your port 25. ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker <[EMAIL PROTECTED]>: > On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message > > > http://www.netfilter.org/patch-o-matic/pom-base.html > > > > > > See the section on "osf" in the above URL for a better solution. > > > Simply block Windows machines from accessing your port 25. > > > > ..if only all isp's did it... > > Not all ISPs need to do it. Only your ISP and the ISPs that host mailing > lists that you subscribe to. > > If you are interested in this then the best thing you can do is to build > yourself a kernel with osf and try it out. If it works well create a Debian > > kernel-patch package for it so that other Debian users can conveniently use > > it. The more accessible you make this to Debian people the closer it comes > > to being installed on Debian list servers... > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ..idea; ddos spam hosts off Internet?
On Fri, 9 Apr 2004 22:53:15 +1000, Russell wrote in message <[EMAIL PROTECTED]>: > On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message > > > http://www.netfilter.org/patch-o-matic/pom-base.html > > > > > > See the section on "osf" in the above URL for a better solution. > > > Simply block Windows machines from accessing your port 25. > > > > ..if only all isp's did it... > > Not all ISPs need to do it. Only your ISP and the ISPs that host > mailing lists that you subscribe to. ..true. And, it does nothing to stop Bill Gates' email-fee scheme. > If you are interested in this then the best thing you can do is to > build yourself a kernel with osf and try it out. If it works well > create a Debian kernel-patch package for it so that other Debian users > can conveniently use it. The more accessible you make this to Debian > people the closer it comes to being installed on Debian list > servers... ..I agree, but don't hold your breath, I'm still a fresh Red Hat convertee, and I first have to get apt-get or yum up and going on my client's boxes, ie; those RH-7.3 and RH-9'ers that I need to keep up 24/7, everything else is and becomes Woody and Sarge as soon as they blink. ;-) I'll honk the horn when my osf deb needs testing. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
Re: ..idea; ddos spam hosts off Internet?
On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message > > http://www.netfilter.org/patch-o-matic/pom-base.html > > > > See the section on "osf" in the above URL for a better solution. > > Simply block Windows machines from accessing your port 25. > > ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: ..idea; ddos spam hosts off Internet?
On Fri, 9 Apr 2004 22:53:15 +1000, Russell wrote in message <[EMAIL PROTECTED]>: > On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message > > > http://www.netfilter.org/patch-o-matic/pom-base.html > > > > > > See the section on "osf" in the above URL for a better solution. > > > Simply block Windows machines from accessing your port 25. > > > > ..if only all isp's did it... > > Not all ISPs need to do it. Only your ISP and the ISPs that host > mailing lists that you subscribe to. ..true. And, it does nothing to stop Bill Gates' email-fee scheme. > If you are interested in this then the best thing you can do is to > build yourself a kernel with osf and try it out. If it works well > create a Debian kernel-patch package for it so that other Debian users > can conveniently use it. The more accessible you make this to Debian > people the closer it comes to being installed on Debian list > servers... ..I agree, but don't hold your breath, I'm still a fresh Red Hat convertee, and I first have to get apt-get or yum up and going on my client's boxes, ie; those RH-7.3 and RH-9'ers that I need to keep up 24/7, everything else is and becomes Woody and Sarge as soon as they blink. ;-) I'll honk the horn when my osf deb needs testing. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ..idea; ddos spam hosts off Internet?
On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message <[EMAIL PROTECTED]>: > On Fri, 9 Apr 2004 09:51, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > > ..another idea; DDOS'ing spam hosts _off_ the net, say by using > > other spam hosts as DOS relays? Spam headers contain the > > originating ip, and 2 such _can_ be set up to DOS each other. > > _Etc_. > > The problem is that such attacks are a crime, and you are probably > easier for the authorities to catch then the spammer... ..most places, agreed. > > ..these spam hosts are commonly virus infected Wintendo's without > > the owner knowing, as such unsuspecting owners feel their box > > appears to work normally. > > > > ..these virus infected Wintendos should be taken off-line, anyway, > > and made secure. And isp's should have a policy on such abuse, > > and enforce it. > > http://www.netfilter.org/patch-o-matic/pom-base.html > > See the section on "osf" in the above URL for a better solution. > Simply block Windows machines from accessing your port 25. ..if only all isp's did it... > > ..outside Internet, similar action is warranted in many > > jurisdictions, by laws governing emergencies, for example, breaking > > into your neighbors house to take his computer is a criminal > > offence, but may be warranted if his house is ablaze and you know > > the loss of his data will destroy his business. > > I doubt that any court would rule that a DDOS attack is lawful, > particularly as the attack would mostly harm an innocent ISP that has > a Windows luser as a customer (all ISPs have lame customers). ..argueably, yes, however in the case of the lame isp's, there's possibly an opening for such court rulings. > > ..Bill Gates' proposal of email-for-a-fee-to-Microsoft to solve > > this, is IMHO pure racism, as is Nigeria's 419 legislation, as it > > effectively denies all other Africans and many Asians the access to > > the free email that you and I enjoy. > > I don't want to send email to Microsoft anyway... ;) .. ;-) The Microsoft scheme is a M$ scheme, their idea is collect the M$ thru their "passport" "service", AFAIUI. ..and, booo, you cc'ed me, spammer! ;-) -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
Re: ..idea; ddos spam hosts off Internet?
On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message > > http://www.netfilter.org/patch-o-matic/pom-base.html > > > > See the section on "osf" in the above URL for a better solution. > > Simply block Windows machines from accessing your port 25. > > ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ..idea; ddos spam hosts off Internet?
On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message <[EMAIL PROTECTED]>: > On Fri, 9 Apr 2004 09:51, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > > ..another idea; DDOS'ing spam hosts _off_ the net, say by using > > other spam hosts as DOS relays? Spam headers contain the > > originating ip, and 2 such _can_ be set up to DOS each other. > > _Etc_. > > The problem is that such attacks are a crime, and you are probably > easier for the authorities to catch then the spammer... ..most places, agreed. > > ..these spam hosts are commonly virus infected Wintendo's without > > the owner knowing, as such unsuspecting owners feel their box > > appears to work normally. > > > > ..these virus infected Wintendos should be taken off-line, anyway, > > and made secure. And isp's should have a policy on such abuse, > > and enforce it. > > http://www.netfilter.org/patch-o-matic/pom-base.html > > See the section on "osf" in the above URL for a better solution. > Simply block Windows machines from accessing your port 25. ..if only all isp's did it... > > ..outside Internet, similar action is warranted in many > > jurisdictions, by laws governing emergencies, for example, breaking > > into your neighbors house to take his computer is a criminal > > offence, but may be warranted if his house is ablaze and you know > > the loss of his data will destroy his business. > > I doubt that any court would rule that a DDOS attack is lawful, > particularly as the attack would mostly harm an innocent ISP that has > a Windows luser as a customer (all ISPs have lame customers). ..argueably, yes, however in the case of the lame isp's, there's possibly an opening for such court rulings. > > ..Bill Gates' proposal of email-for-a-fee-to-Microsoft to solve > > this, is IMHO pure racism, as is Nigeria's 419 legislation, as it > > effectively denies all other Africans and many Asians the access to > > the free email that you and I enjoy. > > I don't want to send email to Microsoft anyway... ;) .. ;-) The Microsoft scheme is a M$ scheme, their idea is collect the M$ thru their "passport" "service", AFAIUI. ..and, booo, you cc'ed me, spammer! ;-) -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ..idea; ddos spam hosts off Internet?, was: ...please
On Fri, 9 Apr 2004 09:51, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > ..another idea; DDOS'ing spam hosts _off_ the net, say by using other > spam hosts as DOS relays? Spam headers contain the originating ip, > and 2 such _can_ be set up to DOS each other. _Etc_. The problem is that such attacks are a crime, and you are probably easier for the authorities to catch then the spammer... > ..these spam hosts are commonly virus infected Wintendo's without the > owner knowing, as such unsuspecting owners feel their box appears to > work normally. > > ..these virus infected Wintendos should be taken off-line, anyway, > and made secure. And isp's should have a policy on such abuse, > and enforce it. http://www.netfilter.org/patch-o-matic/pom-base.html See the section on "osf" in the above URL for a better solution. Simply block Windows machines from accessing your port 25. > ..outside Internet, similar action is warranted in many jurisdictions, > by laws governing emergencies, for example, breaking into your neighbors > house to take his computer is a criminal offence, but may be warranted > if his house is ablaze and you know the loss of his data will destroy > his business. I doubt that any court would rule that a DDOS attack is lawful, particularly as the attack would mostly harm an innocent ISP that has a Windows luser as a customer (all ISPs have lame customers). > ..Bill Gates' proposal of email-for-a-fee-to-Microsoft to solve this, is > IMHO pure racism, as is Nigeria's 419 legislation, as it effectively > denies all other Africans and many Asians the access to the free > email that you and I enjoy. I don't want to send email to Microsoft anyway... ;) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: ..idea; ddos spam hosts off Internet?, was: ...please
On Fri, 9 Apr 2004 09:51, Arnt Karlsen <[EMAIL PROTECTED]> wrote: > ..another idea; DDOS'ing spam hosts _off_ the net, say by using other > spam hosts as DOS relays? Spam headers contain the originating ip, > and 2 such _can_ be set up to DOS each other. _Etc_. The problem is that such attacks are a crime, and you are probably easier for the authorities to catch then the spammer... > ..these spam hosts are commonly virus infected Wintendo's without the > owner knowing, as such unsuspecting owners feel their box appears to > work normally. > > ..these virus infected Wintendos should be taken off-line, anyway, > and made secure. And isp's should have a policy on such abuse, > and enforce it. http://www.netfilter.org/patch-o-matic/pom-base.html See the section on "osf" in the above URL for a better solution. Simply block Windows machines from accessing your port 25. > ..outside Internet, similar action is warranted in many jurisdictions, > by laws governing emergencies, for example, breaking into your neighbors > house to take his computer is a criminal offence, but may be warranted > if his house is ablaze and you know the loss of his data will destroy > his business. I doubt that any court would rule that a DDOS attack is lawful, particularly as the attack would mostly harm an innocent ISP that has a Windows luser as a customer (all ISPs have lame customers). > ..Bill Gates' proposal of email-for-a-fee-to-Microsoft to solve this, is > IMHO pure racism, as is Nigeria's 419 legislation, as it effectively > denies all other Africans and many Asians the access to the free > email that you and I enjoy. I don't want to send email to Microsoft anyway... ;) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]