[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])

Dregier, Leo A. (CMS/CTR) Leo.Dregier at CMS.hhs.gov
Mon Aug 28 01:51:19 GMT 2006


Kenneth,
 
While the idea of only allowing "approved" IP's to communicate with you
network sounds great,  what do you do with the remainder who try to
reach out and touch your network.  What if they require access and are
restricted.  In security, we follow the methodology of "concept of least
privilege" right?  Would this be to restrictive only to allow approved
IP's?  Additionally,  how would one get on an approved list?

While I like the topic, I think the whole industry would have to change
in regards how it deals with SPAM.  What about freedom of speech?  Your
essentially filtering it!  While I hate SPAM like the rest,  I'm
personally interested in brainstorming further on the subject.

Lastly,  I agree with leading the industry and helping to set new
trends.  This has my eye!

Leo A. Dregier III 
Computer Security Incident Response Capability (CSIRC) 
- Incident Response Team - Incident Response Lead 

Centers for Medicare & Medicaid Services 
Lockheed Martin CITIC Security Team 
desk: 443-348-4002 
e-mail: Leo.Dregier at cms.hhs.gov 

The contents of this e-mail are confidential to the ordinary user of the
e-mail address to which it was addressed and may also be privileged. If
you are not the addressee of this e-mail you may not copy, forward,
disclose or otherwise use it or any part of it in any form whatsoever.
CMS does not accept responsibility for changes made to any e-mail after
sending.  If you have received this e-mail in error please e-mail the
sender by replying to this message.

 

-----Original Message-----
From: Kenneth Coney [mailto:superc at visuallink.com] 
Sent: Saturday, August 26, 2006 10:29 AM
To: list at lists.dshield.org
Subject: Re: [Dshield] Idea for dealing with ISPs that ignore
abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd:
WHY IS YOURCUSTOMER...])

I went through the block anything coming from IPNs from China, Brazil, 
Korea, etc. thing years ago.  Started writing my own firewall mods.  The

process did work for awhile, but one problem I ran into is when IPs were

reassigned and the new info was posted on ARIN quickly enough.  Back 
then the concept was blocking spam, but it also gave the benefit of 
blocking by non response to many probes.  The list of what needed to be 
blocked grew longer and longer as new hackers and spammers went on 
line.  I found myself blocking US based ISPs as well.  Figuring out who 
owned what IPN and how many #s to block at each ISP ate hours every 
day.  I finally got it down to about 5 to 10 spam emails a day (from 
about 300) accepted while still allowing legitimate mail, but doing so 
was taking 4 of 5 hours of my time each day researching and comparing 
logs and ARIN records, and adding new blocks and it just wasn't worth 
it.   The whole process became self defeating, and ate a lot of CPU 
time/power as well in that the machine would be crawling because each 
input had to be checked for a block.   A different approach I would like

to see some one market as a firewall for stand alone computers is as 
follows.  There are a total of 9 ISPs containing maybe a total of 12 
IPNs which I actually need to maintain communication with business 
wise.  I really don't need, or want, my PC to even acknowledge the rest 
of the Universe.  Okay an exception or 5 exists for my amusement, let's 
add MS update (and the 10 or so IPNs it uses), an IPN providing a news 
feed, maybe Dshield, NIST time and or ebay/paypal.  Following this would

leave us with a firewall into which a user can enter the specific IPNs 
he/she wants the computer to acknowledge or accept mail from, and it 
would be totally non-responsive to the rest of the universe and not even

accept a mail which did not contain "Received: from (pre-approved IP) # 
".  Would it violate RFCs, probably, but when was the last time someone 
asked for our signature of approval on one of those?






More information about the list mailing list