OT: Re: [Mimedefang] Extremism or just leveling the playing field..
On Mon, 12 Apr 2004, Ben Kamen wrote: I called Ameritech when someone was trying to hack sendmail on my server and they did absolutely -0-. Nothing. Nada. Zippo.. the Big Zed. They don't care. They don't know enough to care. I don't think that's necessarily true. I think it's more like they can't afford to care. If ISPs had to deal with every single instance of spam, malware or attempted hacking, they'd go out of business. The support costs would be way too high. I used to try to track down port-scanners, attempted-relayers, etc. but it quickly got boring and tiresome. I now see most of that as simply the background noise of the Internet, and only react to large or persistent threats. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Re: [Mimedefang] Extremism or just leveling the playing field..
I reached the same. Make sure my systems are buttoned down... Let the ISP's care when other ISP's start firewalling then because they care so much about hackers on their own network. And actually, Dave, I don't mean to argue, but the people I talked to probably couldn't spell TCP/IP... I'm not kidding. I eventually (after hours and days of bitching) got to 1 guy who had a brain in his skull. A real brain I tell you. :) He tried the same excuse. We just don't have the manpower to do anything about it... Well geez, bob... I'm GIVING you the IP address... turn on your spiffy packet sniffer and watch the attacks... YEESH! There whole system is ubercontrolled for the dynamic users... the users CAN'T get on without Auth'ing into the system. sigh In the case of SBC/Ameritech who's mech's into the system are so tight (and seeing how much spam I get from them) I would think it would only be good PR for them to mount some sort of battle.. instead, they do just the opposite. They don't care. The ISP my server sits on was prepping a policy to block attackers... especially at a customer's request... But now I have my handy blackhole script.. :) Heheh... Ok, enough of my bitching. Thanks for taking the time to read it. (and give me a venting outlet!) -Ben p.s. I just converted a friend in Phoenix from Exchange to RH9.0 w/sendmail and MIMEdefang, etc...etc... David F. Skoll wrote: I don't think that's necessarily true. I think it's more like they can't afford to care. If ISPs had to deal with every single instance of spam, malware or attempted hacking, they'd go out of business. The support costs would be way too high. I used to try to track down port-scanners, attempted-relayers, etc. but it quickly got boring and tiresome. I now see most of that as simply the background noise of the Internet, and only react to large or persistent threats. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Ben Kamen - O.D.T, S.P. -- Home: [EMAIL PROTECTED] http://www.benjammin.net Work: [EMAIL PROTECTED] gPG Pub Key - http://www.benjammin.net/www/pages/library * * NOTE: Opinions and Views discussed via email are my own and not that * * of the State of Illinois, University of Illinois or the Illinois Dept * * of Natural Resources. * * ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Extremism or just leveling the playing field..
Well, I did it last night - I wrote an event driven TCL script that watches the mail log for sendmail's RCPT Flood message and then blackholes the IP address... then, after a user specified time limit, it will remove the blackhole automatically. Any add/delete actions are saved in a text file in /tmp in case the system reboots or whatever... so just run it again and it will fix itself. It's TCL - EVERYONE should be able to make sense of it. If anyone would like a copy... feel free to contact me off the list. My only request if you're going to use it is not to laugh at my programming. I'm not a programmer.. I'm a hardware guy who programs at gunpoint. ;) -Ben ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Extremism or just leveling the playing field..
On Sun, 11 Apr 2004, Ben Kamen wrote: Well, I did it last night - I wrote an event driven TCL script that watches the mail log for sendmail's RCPT Flood message and then blackholes the IP address... then, after a user specified time limit, it will remove the blackhole automatically. Any add/delete actions are saved in a text file in /tmp in case the system reboots or whatever... so just run it again and it will fix itself. It's TCL - EVERYONE should be able to make sense of it. Well I wouldnt but that is besides the point :). I think David would appreciate ti though. If anyone would like a copy... feel free to contact me off the list. My only request if you're going to use it is not to laugh at my programming. I'm not a programmer.. I'm a hardware guy who programs at gunpoint. ;) Thats ok, you can come to the Programmers Anonymous on Sundays. -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Extremism or just leveling the playing field..
Heheh, isn't anyone else doing this? I would imagine so... On Sun, 11 Apr 2004, Stephen Smoogen wrote: Now you just need to add a signed peer2peer networking scheme so that you can share that info with hosts that are also on the network and then 4. profit. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Extremism or just leveling the playing field..
Ben Kamen wrote: Boy, as I sit here and watch the spammers try to A: use me as a relay (same IP, multiple tries) B: scan for usernames C: try and deliver to bogus names I've used on the net I would love to have a hook in mimedefang to auto-blackhole these IP's... kinda like the greylisting where the entry times out after a while.. but after so many misses, the IP gets null-routed... I have thought about this too, especially when I was watching this poor sod with an infected machine out in NY hitting me with dozens of virus e-mails yesterday. A temporary IP blackhole, say with a variable timeout ranging up to about a month, would be good. It could probably be done with the existing greylist code. I don't think I could deploy something like that at work (yet), but at home it would be sweet. I know there's probably ways to do this.. I'd just have to sit down and do it.. but don't have the time... But don't you guys and gals get mad when you see some pathetic loser try and bash the doors down to your mail server?? Yeah, just want to route them out of existence. Yeesh. I'd like to rub the nose of my local legislative reps in this stuff... Bad idea, but it would be nice to be able to call the cops on folks trying to break into your servers just like you would if they were trying to break into your office. But who would you call? -- Daniel Taylor VP OperationsVocal Laboratories, Inc. [EMAIL PROTECTED] http://www.vocalabs.com/(952)941-6580x203 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Extremism or just leveling the playing field..
That's pretty funny... actually.. Now that I think about it, I might have a TCL script that with some modification could probably do this for me... I think I might look into it this weekend... heheh.. thanks! -Ben Stefano McGhee wrote: I would love to have a hook in mimedefang to auto-blackhole these IP's... kinda like the greylisting where the entry times out after a while.. but after so many misses, the IP gets null-routed... I know there's probably ways to do this.. I'd just have to sit down and do it.. but don't have the time... Hello Ben, Take a look at http://lists.roaringpenguin.com/pipermail/mimedefang/2003-March/013811.html . Chad Stalvey got annoyed with this too awhile back and I remember thinking it was quite an interesting solution. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Extremism or just leveling the playing field..
On Apr 8, 2004, at 6:41 PM, Ben Kamen wrote: Boy, as I sit here and watch the spammers try to A: use me as a relay (same IP, multiple tries) B: scan for usernames C: try and deliver to bogus names I've used on the net I would love to have a hook in mimedefang to auto-blackhole these IP's... kinda like the greylisting where the entry times out after a while.. but after so many misses, the IP gets null-routed... I know there's probably ways to do this.. I'd just have to sit down and do it.. but don't have the time... If you're running your mail server on Linux, you can actually do this fairly easily - although it is outside of MD or Sendmail. grep your maillog for repetitive instances of an ip address attempting connections to unknown users and via shell scripts put offending numbers into your iptables file with -j REJECT. Those bozos won't even get close to your mail server after that [0]. But don't you guys and gals get mad when you see some pathetic loser try and bash the doors down to your mail server?? Don't get mad, get even. Block them before they can even connect to you. This may be Extremism and YMMV; But for our situation at my orkplace [1], it's part of an overall solution that is working well. -Loren [0] Don't forget to script a restart of iptables. D'Oh! [1] We do not host mail for others. Fairly low volume: ~ 25,000 msg/day -Loren K Louthan | tel: 818 786 2110 | AIM: LorenSRAR -Data Communications Engineer - CRISNet Regional MLS Government's view of the economy could be summed up in a few short phrases: If it moves, tax it. If it keeps moving, regulate it. And if it stops moving, subsidize it. -Ronald Wilson Reagan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
