[Dshield] Need some help testing

Wed Jul 11 04:34:46 GMT 2007

 In the end, what worked best for me and my sanity was to determine who I thought was a threat trying to connect to my mail servers. Netblocks I knew we had no business with like China, Russia, Brazil, all would be blocked by a firewall deny statement. If I saw multiple hosts trying to connecct to port 25 on any of my stuff, I would add them to the deny staement. I did this on a daily basis and it was a pain in the ass, but it worked. We still recieved some junk, but it was kept to a bare minimum. after a week or two of checking to see what was going on I would remove the entry from one of the deny statements and if it looked safe, I would permit ingress from that network. It had to have hurt some people, but the cost versus complaint was well worth it. And, if someone was expecting mail that was being dropped, we had it sent to an alternate mailbox on another net, looked at the headers and then modified the ruleset as needed. After that I had ten firewall logs to check at my branch offices and the usual other bs, loss of WAN links, VPN problems...oh the joys.
Richard

>-----Original Message-----
>From: Tomas L. Byrnes [mailto:tomb at byrneit.net]
>Sent: Tuesday, July 10, 2007 11:03 AM
>To: 'General DShield Discussion List'
>Subject: Re: [Dshield] Need some help testing
>
>If I am to sum up the attitudes of those who like blocking static
>"dynamic" addresses it is:
>
>Only businesses (or people willing to pay for business service) should
>have their own mail relays.
>
>I don't even know where to start with that one. It is a symptom of
>exactly what has gone wrong with the Internet since the telcos became a
>major force in it: a return to the hierarchical idea of the PSTN that
>the Internet beat hands down, precisely because of its decentralized,
>fundamentally peer to peer, anyone can experiment, nature.
>
>It fundamentally breaks the architecture of the Internet as a peer to
>peer system, forces people to use entities they may not trust, in many
>cases validly (given the warrantless wiretapping that has been going on,
>to say nothing of the common practice in parts of the world with little
>respect for human rights), for mail relay services, and drastically
>reduces anyone's ability to test and prototype anything using filtered
>protocols. 
>
>It's also pretty high-handed on anyone's part to call an IP address that
>they know may well actually be static, "dynamic".
>
>Sure this approach reduces SPAM, so would only white listing MTAs you
>actually trusted. Both do it for the same reason: they deny connections
>from the vast majority of the IPV4 space.
>
>You may consider that a valid approach, and if you have a small number
>of users, who either don't know what they are not getting, or don't
>particularly care, then the denial of service you are instituting may
>not matter. Effectively, what you are doing is denying all except a
>pretty well-defined set of addresses that should be "good", and then
>filtering that for the addresses that may have had a bad actor on them
>at some time in the past, and then white listing when someone complains.
>Effectively, you're building a small subset of the Internet as a SMTP
>closed user group.
>
>For larger networks, especially ones with lots of entropy in their
>legitimate peers, this approach is suspect, IMO.
>
>
>_________________________________________
>SANSFIRE 2007 July 25-August 2 in Washington, DC. 56 courses, SANS top
>instructors, and a great tools and solutions expo. Register today!
>http://www.sans.org/info/4651 (brochure code ISC)
>