[Asrg] Software bashing [mostly OT, but on at the end]
Rich Kulawiec
rsk at gsp.org
Sat Jan 24 04:08:40 PST 2009
On Fri, Jan 23, 2009 at 01:07:54PM -0800, Steve Atkins wrote:
> The majority of the spam I see in my inbox (which is filtered, but not
> by anything that takes source address into account) comes, AFAICT,
> from Linux boxes or email appliances (primarily linux based).
You know what? I see pretty much the same thing in my mailbox.
But that's after:
- network perimeter filtering
- system firewall filtering
- numerous DNS existence and consistency checks
- numerous SMTP protocol checks
- numerous network allocation blocks
- numerous (okay, huge) domain blocks
- numerous subdomain blocks
- numerous other blocks
- DNSBls
- RHSBLs
- etc.
What finally makes it through doesn't look anything like what's trying
to make it through. It's a fraction (roughly 1-2%) of the presented
SMTP traffic and very much unrepresentative.
I can say much the same thing about HTTP exploit attempts and SSH
brute-force attempts and all the other kinds of real/attempted abuse:
what's observed at the server level doesn't look much like what's
really incoming.
So the best place to measure this isn't your mailbox; it's on the
outer perimeter of your network -- at the packet level.
Or, to refine that slightly, on the outer perimeter of a network that
nobody knows you're associated with, since at least some abusers do seem
to make a point of at least trying to enumerate the ones where their
adversaries are watching.
> Which doesn't tell me much, but does suggest that A) people blaming
> Windows for all the net's ills may not be basing it on representative
> traffic and B) research is likely useful, speculation probably isn't.
I didn't blame Windows for "all the net's ills".
I said that the abuse problem is mostly a Microsoft Windows problem.
And, clearly, "abuse" is only one of the many things wrong with
the Internet.
---Rsk
More information about the Asrg
mailing list