Re: ISP/Exchange Question
On Wed, 13 Aug 2003, at 10:19am, [EMAIL PROTECTED] wrote: You do not own your ISP's network, your ISP does. And that makes any arbitrary decision they choose to implement acceptable? Acceptable? Perhaps not. You can always switch to another ISP. Of course, if all ISPs are doing the same thing, then you can either accept it, or go without Internet access. Nobody is forcing you to use the Internet. Please sign up here for the Patriot Service Plan comrade. The Internet is not a government service. It is not a constitutional right, either. You are paying a private company to allow them to let you access their network. They can impose whatever terms they like on that. You can accept them, or not. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: ISP/Exchange Question
You do not own your ISP's network, your ISP does. And that makes any arbitrary decision they choose to implement acceptable? Please sign up here for the Patriot Service Plan comrade. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
On Wed, 13 Aug 2003, at 8:37am, [EMAIL PROTECTED] wrote: I also think that most good network citizens should be egress blocking those ports anyway - there are precious few reasons a corporate network should be allowing egrees traffic on those ports, or for that matter on most ports. Yah. A lot of our customers are of the allow by default mindset for Internet access, but even on those, we explicitly block all LAN services at the firewall. Not just Microsoft's many known ports, but Novell, Apple, infrastructure services like routing protocols (if we're not using them)... all that stuff. 'course, I personally spent a good deal of yesterday cleaning up after somebody who felt they didn't need a firewall, because they ran anti-virus software. *shakes head* -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
: Tuesday, August 12, 2003 4:05 PM To: Exchange Discussions Subject: RE: ISP/Exchange Question I didn't see anything on whitehouse.gov or ready.gov, but my counterpart in Facilities just forwarded a BOMA memo mentioning such a warning coming from DHS. Hopefully we are all already on alert for this virus, and are already protected. It's an old issue that should have been eliminated a while ago... -Original Message- From: Steck, Herb [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 5:53 PM To: Exchange Discussions Subject: ISP/Exchange Question Has anyone heard of the Dept. of Homeland security putting out an anouncement to ISP's to block TCP/UDP ports 135, 137, 445? The information transmitted is intended only for the person or entity to which it is addressed and may contain proprietary, confidential and/or legally privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
You're going to try that tired argument in every thread until it sticks? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 14, 2003 7:23 AM To: Exchange Discussions Subject: RE: ISP/Exchange Question On Wed, 13 Aug 2003, at 9:24am, [EMAIL PROTECTED] wrote: Except that your ISP holds you hostage because it owns your DNS entries until you can get them moved somewhere else. Well, first off, my original point was that Internet access is not the inalienable right that some people seem to think it is. The above is commentary on the difficulty of switching service providers. Really only tangentially related. But anyway... :) Changing ISPs is not a trivial task for most small- to medium-sized businesses. Changing anything with IT infrastructure is not a trivial task for most small- to medium-sized businesses. That is why there are consultants and support companies. Joe Business Owner might not understand how to transition from one DNS hosting provider to another, but we sure do. Technical commentary: Your DNS hosting provider really cannot hold a domain hostage. Sure, they can refuse to help you or support it, but switching to a new set of registered nameservers is a straight-forward process. Of course, in some cases, an ISP will register a domain for a customer, but register it in their own name, and not the name of the customer. This is bad form, bad business, and generally violates the ICANN UDNDRP (section 2, subsections a and b). Of course, none of that means it does not happen. It is, alas, not uncommon. Still, if one can provide evidence of what occurred, you can generally get ownership transfered. Is the dispute process fun? No, certainly not. But consider: If your business depends on something, and you discover you do not have legal rights to that something, would you not take immediate action to correct it? In other words, if you discover your ISP has registered your domain name in their name rather then your own, wouldn't you move to fix that, even if you were otherwise perfectly happy with your ISP? I know I sure would. :-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: ISP/Exchange Question
On Tue, 12 Aug 2003, at 5:44pm, [EMAIL PROTECTED] wrote: Inbound, Inbound Inbound INBOUND INBOUND CONNECTIONS! Fscking Road Runner SSMs decided that inbound meant _all_. One man's outbound is somebody else's inbound. Many ISPs are concerned with stopping existing compromises from spreading, in addition to stopping inbound attacks. Also, more selective filters require more processing power on some routers. Sometimes, a lot more. Frankly, IMO, if you're using NetBIOS or MS-RPC over the public 'net, you deserve what you get. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: ISP/Exchange Question
On Tue, 12 Aug 2003, at 5:44pm, [EMAIL PROTECTED] wrote: Inbound, Inbound Inbound INBOUND INBOUND CONNECTIONS! Fscking Road Runner SSMs decided that inbound meant _all_. One man's outbound is somebody else's inbound. Right, which is why all firewalls come with default rules set to block all inbound and all outbound traffic. Oh wait... Many ISPs are concerned with stopping existing compromises from spreading, in addition to stopping inbound attacks. I'm sure that's why MSN blocks outbound access on port 25 to any mail server other than their own. And why a number of smaller ISPs block VPN access unless you've paid for a business account. Also, more selective filters require more processing power on some routers. Sometimes, a lot more. I have an ISP, not an HSP (http service provider). The I doesn't stand for 'ports we think you should be able to use'. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
On Wed, 13 Aug 2003, at 9:24am, [EMAIL PROTECTED] wrote: Except that your ISP holds you hostage because it owns your DNS entries until you can get them moved somewhere else. Well, first off, my original point was that Internet access is not the inalienable right that some people seem to think it is. The above is commentary on the difficulty of switching service providers. Really only tangentially related. But anyway... :) Changing ISPs is not a trivial task for most small- to medium-sized businesses. Changing anything with IT infrastructure is not a trivial task for most small- to medium-sized businesses. That is why there are consultants and support companies. Joe Business Owner might not understand how to transition from one DNS hosting provider to another, but we sure do. Technical commentary: Your DNS hosting provider really cannot hold a domain hostage. Sure, they can refuse to help you or support it, but switching to a new set of registered nameservers is a straight-forward process. Of course, in some cases, an ISP will register a domain for a customer, but register it in their own name, and not the name of the customer. This is bad form, bad business, and generally violates the ICANN UDNDRP (section 2, subsections a and b). Of course, none of that means it does not happen. It is, alas, not uncommon. Still, if one can provide evidence of what occurred, you can generally get ownership transfered. Is the dispute process fun? No, certainly not. But consider: If your business depends on something, and you discover you do not have legal rights to that something, would you not take immediate action to correct it? In other words, if you discover your ISP has registered your domain name in their name rather then your own, wouldn't you move to fix that, even if you were otherwise perfectly happy with your ISP? I know I sure would. :-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
Over dialup? -Original Message- From: Ed Crowley [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 9:58 AM To: Exchange Discussions Subject: RE: ISP/Exchange Question You're going to try that tired argument in every thread until it sticks? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 14, 2003 7:23 AM To: Exchange Discussions Subject: RE: ISP/Exchange Question On Wed, 13 Aug 2003, at 9:24am, [EMAIL PROTECTED] wrote: Except that your ISP holds you hostage because it owns your DNS entries until you can get them moved somewhere else. Well, first off, my original point was that Internet access is not the inalienable right that some people seem to think it is. The above is commentary on the difficulty of switching service providers. Really only tangentially related. But anyway... :) Changing ISPs is not a trivial task for most small- to medium-sized businesses. Changing anything with IT infrastructure is not a trivial task for most small- to medium-sized businesses. That is why there are consultants and support companies. Joe Business Owner might not understand how to transition from one DNS hosting provider to another, but we sure do. Technical commentary: Your DNS hosting provider really cannot hold a domain hostage. Sure, they can refuse to help you or support it, but switching to a new set of registered nameservers is a straight-forward process. Of course, in some cases, an ISP will register a domain for a customer, but register it in their own name, and not the name of the customer. This is bad form, bad business, and generally violates the ICANN UDNDRP (section 2, subsections a and b). Of course, none of that means it does not happen. It is, alas, not uncommon. Still, if one can provide evidence of what occurred, you can generally get ownership transfered. Is the dispute process fun? No, certainly not. But consider: If your business depends on something, and you discover you do not have legal rights to that something, would you not take immediate action to correct it? In other words, if you discover your ISP has registered your domain name in their name rather then your own, wouldn't you move to fix that, even if you were otherwise perfectly happy with your ISP? I know I sure would. :-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: ISP/Exchange Question
On Wed, 13 Aug 2003, at 9:41am, [EMAIL PROTECTED] wrote: One man's outbound is somebody else's inbound. Right, which is why all firewalls come with default rules set to block all inbound and all outbound traffic. By default, most products on the market are hideously insecure, and should not be put into production without extensive modifications. Deny by default is an acceptable and widely recommended security stance for many organizations. It's not as unreasonable as you make it out to be. However, what firewalls ship with by default really is irrelevant. The discussion was about what ISPs are doing, not what firewall vendors are doing. We were talking about ISPs who are employing filters, either on a permanent or temporary basis, to stop insecure systems being run by unqualified people (i.e., 90% of their customer base) from damaging the public network further. Many ISPs are concerned with stopping existing compromises from spreading, in addition to stopping inbound attacks. I'm sure that's why MSN blocks outbound access on port 25 to any mail server other than their own. And why a number of smaller ISPs block VPN access unless you've paid for a business account. And this has what, exactly, to do with the discussion? I have an ISP, not an HSP (http service provider). The I doesn't stand for 'ports we think you should be able to use'. Read your Terms Of Service. I suspect it actually does say something to that effect. ISPs have an obligation and a necessity to protect their operations from attack. You do not own your ISP's network, your ISP does. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
I didn't see anything on whitehouse.gov or ready.gov, but my counterpart in Facilities just forwarded a BOMA memo mentioning such a warning coming from DHS. Hopefully we are all already on alert for this virus, and are already protected. It's an old issue that should have been eliminated a while ago... -Original Message- From: Steck, Herb [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 5:53 PM To: Exchange Discussions Subject: ISP/Exchange Question Has anyone heard of the Dept. of Homeland security putting out an anouncement to ISP's to block TCP/UDP ports 135, 137, 445? The information transmitted is intended only for the person or entity to which it is addressed and may contain proprietary, confidential and/or legally privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
I also think that most good network citizens should be egress blocking those ports anyway - there are precious few reasons a corporate network should be allowing egrees traffic on those ports, or for that matter on most ports. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 7:32 PM To: Exchange Discussions Subject: Re: ISP/Exchange Question On Tue, 12 Aug 2003, at 4:52pm, [EMAIL PROTECTED] wrote: Has anyone heard of the Dept. of Homeland security putting out an anouncement to ISP's to block TCP/UDP ports 135, 137, 445? The DHS advisory doesn't target ISPs in particular. Many ISPs block 135, 137, 138, 139, and 445. More have started blocking with the exploits attacking MS03-026. Given the number of clueless lusers running Windows systems unprotected on the Internet, I find this a pretty reasonable action. Traffic on those ports really doesn't have much business being on the public Internet in the first place. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: ISP/Exchange Question
On Tue, 12 Aug 2003, at 4:52pm, [EMAIL PROTECTED] wrote: Has anyone heard of the Dept. of Homeland security putting out an anouncement to ISP's to block TCP/UDP ports 135, 137, 445? The DHS advisory doesn't target ISPs in particular. Many ISPs block 135, 137, 138, 139, and 445. More have started blocking with the exploits attacking MS03-026. Given the number of clueless lusers running Windows systems unprotected on the Internet, I find this a pretty reasonable action. Traffic on those ports really doesn't have much business being on the public Internet in the first place. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: ISP/Exchange Question
Except that your ISP holds you hostage because it owns your DNS entries until you can get them moved somewhere else. Changing ISPs is not a trivial task for most small- to medium-sized businesses. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 8:59 AM To: Exchange Discussions Subject: Re: ISP/Exchange Question On Wed, 13 Aug 2003, at 10:19am, [EMAIL PROTECTED] wrote: You do not own your ISP's network, your ISP does. And that makes any arbitrary decision they choose to implement acceptable? Acceptable? Perhaps not. You can always switch to another ISP. Of course, if all ISPs are doing the same thing, then you can either accept it, or go without Internet access. Nobody is forcing you to use the Internet. Please sign up here for the Patriot Service Plan comrade. The Internet is not a government service. It is not a constitutional right, either. You are paying a private company to allow them to let you access their network. They can impose whatever terms they like on that. You can accept them, or not. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: ISP/Exchange Question
Inbound, Inbound Inbound INBOUND INBOUND CONNECTIONS! Fscking Road Runner SSMs decided that inbound meant _all_. It's really unfortunate for the Austin RR group that I live within stal^H^H^H^Hwalking distance. RECOMMENDATION Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage system administrators and computer owners to take this opportunity to update vulnerable versions of Microsoft Windows operating systems as soon as possible. Microsoft updates, workarounds, and additional information are available at http://microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS03-026.asp DHS and Microsoft further suggest that Internet Service Providers and network administrators consider blocking TCP and UDP ports 135, 139, and 445 for inbound connections unless absolutely needed for business or operational purposes. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]