[Dshield] Users don't pay attention

admin admin at bartonphillips.com
Sat Aug 20 18:17:56 GMT 2005

Robert Nelson wrote:

>In a previous reply to this thread, which I seem to have deleted, Barton, I
>believe, made note that ISPs should be more proactive in blocking ports,
>keeping an eye on the traffic on their network, and so on.
>That would be a grand idea. They could at least block the nastier ports,
>such as 445. I don't think blocking that port would hurt any legitimate
>internet traffic! It may even stop (or at least severely impede) a worm or
>Perhaps some ISPs don't want to monitor traffic due to the cost. They'll
>have to pay humans to contact the offender, or at least deal with irate
>customers if the process is automated and simply disconnects them. It always
>seems to come down to profits, doesn't it?
>My ISP does filter SPAM quite effectively, which is nice, but they don't
>block any ports. They also have anti-virus software scanning your incoming
>The BIG surprise, which I discovered just an hour or so ago, is that they
>are providing ZoneAlarm Security Suite (the one with ant-virus and the whole
>shebang) free to it's customers, with a licence good for 3 installations.
>(Regular price $69.95 US for a one-year, one-PC licence.) So naturally, it
>being free, I nabbed it and installed it. After installing and rebooting, I
>found that the "Product update service expires in 7305 days." That's a 20
>Year licence! Heck of a deal! It should be noted, however, that they never
>sent any notification or advertised that fact... You would have to be
>surfing their site to find it.
>So perhaps some ISPs are catching on. The two big ones here in my area here
>in Canada are both offering anti-virus, anti-spam, and the like for free.
>And now firewalls. Let's hope the trend spreads.
>In the meanwhile, we who know better should still endeavour to educate those
>who do not.
First, if the ISP's in the US aren't careful and don't start doing some 
proactive things  voluntarily   the Congress will get evolved and really 
F... things up for them and us.

Second, as with health care and a lot of other things Canada and 
Canadian ISP's are a lot further ahead of the wave than the US. I have 
SBC Yahoo DSL and Yahoo does provide 1) Anti-Virus, 2) Parental Control, 
3) Pop Up Blocker, and 4) Anti-Spy programs for download from their 
site. You have to look pretty hard to find the stuff but it is there. I 
like ZoneAlarm with AntiVirus a lot as it provides a pretty good Client 
Firewall for all versions of Windows not just XP. A note, SBC Yahoo only 
provides these packages if you are using Internet Explorer.

"Abuse" <abuse at what4now.com>
and Craig Webster wrote:

>A few ISPs in the UK block outgoing port 25 which is great for  
>> reducing the amount of spam originating inside their network getting  
>> outside but is a bugger if you wanted to do something like - shock,  
>> horror - use some other smtp server. Luckily my ISP isn't one of them.
>My ISP has started to block port 25 on all of its dynamic IP dialup/DSL users. 
>Soon to be followed by their static IP DSL users (which includes me) and I do
>not have a problem with this.
>You can still use another email server.  You just need to send your email out
>from your ISPs email server.  I do this all the time, the FROM:, and REPLY-TO:
>show my email address of the other email system but if you look at the headers
>you can see it did not originate there.  I have been doing this for years even
>though I have not been blocked, it was just convenient.
>>> These ISPs will block the useful ports and lock you into their  
>>> services no problem under the guise of being the superhero of the  
>>> story but as you say, it's unlikely that they'll ever monitor or  
>>> block the vast majority of their traffic. It's simply easier to say  
>>> "It's the bad guys fault. Now buy our services."
>I DISAGREE loudly.
>I think blocking port 25 is a very good strategy as this blocks most of the
>compromised computers (which is the main source of spam).  If you want to run
>your own email server then set it up to relay all of your out bound email
>through your ISPs email server.  You can still receive email directly into your
>email server without any problems.
>Please explain to me why this does not work?
Blocking some ports would indeed help the current situation. I have a 
static DSL and would be a little unhappy if I couldn't use port 25, but 
if that really helped the SPAM situation I could live with using my 
ISP's SMTP server for outgoing mail.

I also can not think of a really good reason not to block ports 135, 
136, 139, and 445. These are local network (LAN) services and have no 
real reason to be on a WAN (I could be wrong and would like to hear why 
if I am).

I have recently read about Microsoft's HoneyMonkey project which is more 
the type of thing I was originally thinking about when I first posted 
this thread. It seems to me that ISP's could identify traffic on their 
networks and pin-point the senders without too much effort. I also think 
that most of the work could be automated. If a user is found to have a) 
a zombie system or b) sending out abusive (worm, virus, Trojan, SPAM) 
material the automated system could disconnect that user after sending 
them an email (and maybe snail mail also) explaining the problem and how 
to fix it and get reconnected.

The problem is that even when ISP's receive notification via their 
abuse@ addresses they seldom do anything about it. I think they had 
better start doing a more responsible job or they will be forced to by 
governments. Maybe I am wrong but I think the problem has gotten big 
enough that politicians will soon start coming up with their usual 
knee-jerk (with the ascent on the jerk) solutions and that will be bad 
for everyone involved. If politicians get involved we will surely get 
stupid solutions and TAXES to defray the cost of the bureaucracy needed 
to implement them (look at the situation with airlines today).

It seems to me that with all the expertise here and else ware the 
community could come up  with a self regulated Internet that would work 

Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com

More information about the list mailing list