[Dshield] ISPs - How much monitoring is enough?

Brad Spencer brad.madison at mail.tds.net
Sun Jan 18 19:00:10 GMT 2004


At 12:16 PM 1/18/2004 -0500, you wrote:

>Wrong direction.  The originating IP is in your space.  Do you have 
>incoming abuse reports related to the packets?  Fix it on your end.  Call 
>the client owner and ask him why.
>
>Are you running open relays?  Why?  Where is the profit in that?

You see the point.  I'm saying the ISP can watch port 25 traffic for 
suspicious patterns and act before any complaint arrives.  These days it's 
not merely open relays: spammers use Trojan Horse software (and other 
means, perhaps) to install zombie servers on other peoples systems.  If 
that happens the zombie starts sending out on port 25.

Either way: if the ISP discovers it or if the ISP receives a complaint that 
tells of the illicit email the ISP could look to see the source of packets 
going in to the compromised system.  The source of the packets is either 
the spammer (whose ISP should be notified, if the ISP isn't in league with 
the spammers) or another compromised system (for which the ISP should be 
notified.)

There's more to ending spam than just cleaning up the problem system.  Take 
advantage of the situation to learn more about what the spammer is doing 
and where his traffic originates - then clean up the problem.

Dont' forget that the ISP could also divert the incoming traffic to a 
honeypot.  That's particularly easy if the compromised system is an open 
relay or open proxy. This can go two ways.  The ISP can hurt the spammer 
enough so he goes away or he can hurt the spammer so that he is bothered 
but doesn't go away.  Until the spammer does go away the ISP can keep 
hurting him and bothering him.







More information about the list mailing list