[Dshield] Where should you start - I'll wrap it myself

Ben Robb Ben at cscape.com
Wed Mar 24 12:48:19 GMT 2004


John Draper wrote:
<snip>
But with all the spam people are getting,  most are unaware that for
each spam
they get,  some infected host out there is identifying itself.   So 
reporting
spam is very important,  because a lot of it comes from infected hosts,
  and
SOME (but unfortunately not all) ISP's DO act on these complaints and
shut them down.
</snip>

Its all very well to say "report all the spam you get", but I get a few
thousand spam messages a day to various accounts. (The joys of being
active on tech mailing lists before spam was an issue). I barely have
time to sort out automatic filtering so that real emails get seen, let
alone report them all. Also, responding to all the emails would involve
sending another couple of thousand emails to further clog up my network.

It is not a problem which the end user should be resolving; ISPs can see
quite clearly when a lot of traffic on SMTP ports starts eminating from
a particular machine. It should not be a serious technical challenge to
put in some automated monitoring for this sort of traffic increase and
automatically block the traffic from the infected / compromised machine.

Rgs,

Ben Robb
Technical Consultant,
cScape Ltd.




More information about the list mailing list