[Dshield] ISPs - How much monitoring is enough?
brad.madison at mail.tds.net
Sun Jan 18 19:00:10 GMT 2004
At 12:16 PM 1/18/2004 -0500, you wrote:
>Wrong direction. The originating IP is in your space. Do you have
>incoming abuse reports related to the packets? Fix it on your end. Call
>the client owner and ask him why.
>Are you running open relays? Why? Where is the profit in that?
You see the point. I'm saying the ISP can watch port 25 traffic for
suspicious patterns and act before any complaint arrives. These days it's
not merely open relays: spammers use Trojan Horse software (and other
means, perhaps) to install zombie servers on other peoples systems. If
that happens the zombie starts sending out on port 25.
Either way: if the ISP discovers it or if the ISP receives a complaint that
tells of the illicit email the ISP could look to see the source of packets
going in to the compromised system. The source of the packets is either
the spammer (whose ISP should be notified, if the ISP isn't in league with
the spammers) or another compromised system (for which the ISP should be
There's more to ending spam than just cleaning up the problem system. Take
advantage of the situation to learn more about what the spammer is doing
and where his traffic originates - then clean up the problem.
Dont' forget that the ISP could also divert the incoming traffic to a
honeypot. That's particularly easy if the compromised system is an open
relay or open proxy. This can go two ways. The ISP can hurt the spammer
enough so he goes away or he can hurt the spammer so that he is bothered
but doesn't go away. Until the spammer does go away the ISP can keep
hurting him and bothering him.
More information about the list