This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] The well-behaved ISP's role in spamfight
- Previous message (by thread): [anti-abuse-wg] The well-behaved ISP's role in spamfight
- Next message (by thread): [anti-abuse-wg] The well-behaved ISP's role in spamfight
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Max Grobecker
max.grobecker at ml.grobecker.info
Thu Feb 16 14:42:19 CET 2017
Hi, Am 13.02.2017 um 22:18 schrieb peter h: > There is not any req that all customers always should be forced to use > ISP relays, the default behaviour might be to use ISP relays, and > to have DHCP given address. But for an extra service one could > obtain a fixed address, and as extra service, use port 25. The main > point is to have those "unaware" users, whos computers might be stolen, > prevented. They won't notice, and they don't get harmed. The best practice should be to (automatically?) block port 25 as soon as there are complaints about SPAM being sent from the according account. Maybe some good reputated blacklist providers could work together with ISPs to provide them real-time notifications for their IP allocations based on a kind of "push service". Then (as a provider) you have: A) Customers that can use any port unfiltered and are not complaining about blocked ports in your support department. B) If you receive notifications about SPAM being sent you have a good reason to block specific ports for this user (and, of course, send a notification to the customer). C) The customer is made aware that something inside his network is infected with malware which should get cleaned. The provider could offer help, fees apply. If I block port 25 outgoing by default, the user can sit there for ages in his home network while the malware is trying to send SPAM - but the customer won't notice. "Yes, of course, the computer is very slow, but..." As soon as the user moves his infected laptop to another network which don't have this blocking policy for whatever reason, the malware fires out its offers for medication to improve specific parts of the male body. And, besides of SPAM, there are also other services that are getting targeted by malware - for example SIP. You can set up a SIP server, reachable to the whole world on port 5060/UDP and you get a feeling that specific parts of the internet are trying to place phone calls to countries you wouldn't even find on a map ;-) THAT is more than a bit inconvenient - it's really harmful and costs real money (much money). But: Would you block port 5060 by default? And which other ports, too? And what about bruteforce attacks against websites? And why aren't ISPs blocking incoming packets to port 1900/UDP or port 5454/UDP by default, which are misused for DDoS attacks? I think blocking ports by default isn't the cure. It's just raising support volumes. IMHO the better way is to let customers learn from it (when they get instant notifications as soon as malware starts attacking others). Max -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/anti-abuse-wg/attachments/20170216/f020678a/attachment.sig>
- Previous message (by thread): [anti-abuse-wg] The well-behaved ISP's role in spamfight
- Next message (by thread): [anti-abuse-wg] The well-behaved ISP's role in spamfight
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]