[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

Chris Lewis clewis at nortel.com
Sat Mar 3 11:14:56 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

gep2 at terabites.com wrote:
> On Fri, 02 Mar 2007 23:19:03 -0500
>  Stephanie Erin Daugherty <stephanie at ahbl.org> wrote:
>> Ok... I'm putting on my Nomex suit for this reply.

>> Routeable addresses are not inherently less secure. NAT is not the
>> only way, or even a good way to secure hosts. 
> 
> Securing the hosts is not the issue here.  Nor, in fact, securing
> clients!  The fact is however that typical user desktop machines are
> SAFER if just anyone anywhere on the Internet can't reach out and poke
> them directly.

"Safer", but these days, NOT that much safer.  Most spambots these days
DO NOT require inbound connections from the Internet to function, and
therefore a NAT doesn't help, in fact becomes the explicit hindrance you
reported.

> That's fine for companies like General Motors or Ebay or Amazon.  What
> you're suggesting is arguably inappropriate for a 15-person company with
> NO inhouse IT staff at all (say, a doctor's office).  We're talking
> about a company here that uses ONE single Novell server running the
> whole company.

Securing the NAT so that _only_ that one single Novell server can reach
the Internet on port 25 would have most likely completely eliminated the
problem you were seeing.

> Ironically, the solution we (at least initially) had to go to involved
> us moving AWAY from our inhouse outgoing MTAs, and having to ENABLE the
> applications at individual user desktops to route their e-mails directly
> to out-of-house servers.  This is neither safer, but also is MUCH slower
> as viewed by the users than allowing their inhouse mail servers to
> buffer such operations.

That also works to get your "critical" email out, but won't prevent the
NAT from abusing the Internet if you haven't also secured the NAT
against outbound port 25 connections.

> Note that the blacklisting taking effect at E-fax, specifically (and
> which suddenly prevented the company from sending out more than 500
> faxes a day) happened at least three days after (TTBOMK) the infection
> HAD been cleared up.

Three days _after_ you removed the listing?  That seems unlikely.

>  (Of course, who can be sure?  The blacklisting
> company doesn't tell us EXACTLY what they were blacklisting us for).

Did you ask?  The CBL (main component of the XBL) is pretty good at
explaining what happened.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iQCVAwUBRemfAJ3FmCyJjHfhAQKNdQP9ECYSEdk+H/gBlKwaYKQTW3PV76JtaC0n
DvkWQNGsReewsLHsO24BTjiGG4xi9Bfwg9dkWg+UubOOT90MVh4T1tGCqwI9wkWs
TKeksZMMhB36j3fiDEQw48knhgqCjWb2rAmTsu8GXW8Rie2gsITIskknf4J1q1xB
HuIp5g1eezk=
=OHQs
-----END PGP SIGNATURE-----

More information about the Asrg mailing list