[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

Bill Cole asrg3 at billmail.scconsult.com
Fri Mar 2 23:52:18 EST 2007 

At 6:01 PM -0600 3/2/07, <gep2 at terabites.com> wrote:

>Not being able to issue credits, deliver invoices, and send price 
>updates (and in the oil and gas business, prices change daily) is a 
>monumental burden on a company which is guilty of nothing more than 
>being a victim, just like so many other companies and individuals 
>have been (and, doubtless, will continue to be).

Being one of many careless clueless instruments of botnet spammers 
does not make them not partly guilty.

If you connect a machine to the net, you are morally responsible for 
what that machine does on the net. That applies to dumb individual 
users and dumb oil companies alike. IP addresses that are used for 
bad behavior will properly be treated as bad actors by others. This 
is a broader issue than email, it's just that email abuse and 
response to it is the most visible manifestation. Mismanaged PC's are 
doing a lot more than spam and the only general approach


>Worse, from a Internet strategic standpoint, the dangers of this 
>kind of blunt-instrument blocking of E-mails for AN ENTIRE COMPANY 
>just because ANY ONE computer within their network is infected (and 
>it could even be an infected notebook computer carried in from home 
>and connecting to the office wireless LAN)

So why did they configure their network with a common NAT point for 
corporate mail and for badly managed PC's and let those PC's talk 
SMTP to anywhere external through it? This is not a new risk. Worms 
have existed for almost 2 decades. Segregation of corporate servers 
from personal desktops has been a common best practice for at least 
15 years. This company lacked the application of fundamental security 
principles in their network design.


>will force more companies to insist on MORE DANGEROUS separate, 
>routable IP addresses for each machine in their company....

No force at all. There are other options, such as doing separation 
internally and not allowing mismanaged PC's uncontrolled access to 
the outside world through company facilities.

The whole story portrays a fundamental business flaw. If email and 
other Internet services are business-critical, it is irresponsible to 
the business for management to not have technical competence on hand 
to deal with problems, particularly in the area of security.


-- 
Bill Cole                                  
bill at scconsult.com

More information about the Asrg mailing list