[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])

Kenneth Coney superc at visuallink.com
Mon Aug 28 17:19:38 GMT 2006

It isn't just about Spam, it is the whole concept of unauthorized 
contact.  I own a small (very) company serving a niche industry and I 
send and receive correspondence via the web (aka E-mail) a lot.  
Occasionally I access other machines via the web to pull stuff off 
databases or make entries (sometimes via VPN, and sometimes via 
passworded otherwise public portals).  I am unable to conceive of a 
situation in which I would find someone else reaching out to touch my PC 
without my previously supplied consent a desirable situation.  There are 
databases that may or may not occasionally contain sensitive information 
(although there is a non Internet connected machine for intentionally 
storing such) and when someone needs the info they communicate in person 
and let me know.  Do I write in Corel, Word or Works?  Do I use Access 
or an old DBase III or Excel?  No one but my clients (who usually 
specify) have a need, or a right, to know, certainly not some teenage 
hacker trying to access my machine for a laugh.  How does one get on the 
approved list of a business machine like mine so they could send an 
email?  Hiring my company or me through one of the headhunter firms or 
niche industry web pages that are approved to send me email is a good 
start.  So too is meeting me, expressing an interest and supplying 
contact info.  I am not quite sure what you mean by "concept of least 
privilege," in that my life experiences have been based on "need to 
know," and my approach to IT security follows that avenue.  I would 
imagine that an intelligent Joe Sixpack would have a similar approach 
and he/she would give their email address to the people they wanted to 
have it, and not post in groups (such as this one) without a lot of 
internal debate on the pros and cons first or setting up a spam trap and 
using that email address.  Likewise, if Mr./Ms. Sixpack wishes to surf 
the web, then after disabling cookies and taking some other precautions 
(i.e., Processguard, AV software, firewalls, etc.) they would simply do 
so, they have no need to accept cookies or allow third party machines to 
detect their presence.  Is this filtering "freedom of speech?"  I would 
say no.  One always has a right to turn the TV off, or simply leave the 
meeting hall of they don't like what the speaker says.  It is rarely 
necessary to throw rotten tomatoes or punch someone in the nose to shut 
them up.  Life, liberty and the pursuit of happiness includes by default 
a right to silence and privacy which overrides another individuals 
freedom of speech.  Every person's rights end at the line where the next 
person's rights begin. 

Tomas makes a good point about Kaza, Skpe, et al.  I personally find 
true point to point services too dangerous (IT wise) to allow them on my 
own machines.  Very much like turning on a wireless laptop protected 
only by WEP (see the pdf files at http://www.drizzle.com/~aboba/IEEE/ 
for a hint) and with the SSID on, a dumb thing.  Many of the messenger 
type point to point services such as AOL, MS, Trillian, etc. have an 
identifiable server that sets up the connection.  That could be allowed 
by setting an IPN range in a firewall type such as we are discussing.  
Again, Tomas is correct that the clueless Joe Sixpacks of the world, who 
are often not even aware there is a problem, probably won't set such a 
filter up themselves.  This is an industry failure.  The firms providing 
"free firewalls" and default firewalls should be offering such.  It 
could be very easy to set up with the initialization menu.  "Enter a 
website you wish to visit and allow email from," and the user types 
"cnn.com"  The firewall could (when connected to the net) then go to or 
check the address, determine the IPN and enter it into it's rules.  As 
the user intentionally browses a little screen could ask, "Permanently 
allow this website to connect to your machine? Y/N, or just allow ONE 
time? Press Y N or 1"  Allow emails from this site?  Y/N"  How hard is 
that?  It would only be a pain in the rear for the first few days.  
After that the user habits are in the rules.  Both spammers and probes 
would be stopped cold, at least until Mr. or Ms. Sixpack decided to 
check out the porno site they found by googling an obscenity.  [Yes, on 
more than one occasion I have found evidence of visits to porn sites on 
infected machines owned and only used by, old enough to know better, 
females.  It's not just the men who are careless.]  What happens after 
that visit is, again, determined by how good the free security tools pre 
packaged with a machine are.

Re: [Dshield] Idea for dealing with ISPs that ignore abusenotificatons 
was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS 
"Dregier, Leo A. (CMS/CTR)" <Leo.Dregier at CMS.hhs.gov>
Sun, 27 Aug 2006 21:51:19 -0400

"General DShield Discussion List" <list at lists.dshield.org>


While the idea of only allowing "approved" IP's to communicate with you
network sounds great, what do you do with the remainder who try to
reach out and touch your network. What if they require access and are
restricted. In security, we follow the methodology of "concept of least
privilege" right? Would this be to restrictive only to allow approved
IP's? Additionally, how would one get on an approved list?

While I like the topic, I think the whole industry would have to change
in regards how it deals with SPAM. What about freedom of speech? Your
essentially filtering it! While I hate SPAM like the rest, I'm
personally interested in brainstorming further on the subject.

Lastly, I agree with leading the industry and helping to set new
trends. This has my eye!

Leo A. Dregier III
Computer Security Incident Response Capability (CSIRC)
- Incident Response Team - Incident Response Lead


Privacy Statement-
This message sent by telephone wire across a non secured line.  At 
various points in the transmission of this message it has been converted 
to RF Microwave energy, beamed to satellites and bounced back to the 
planet's surface by various telephone companies.  Some of the resulting 
backscatter has therefore escaped into deep space.  This may include 
what was written.  As this message has left the senders control and 
passed through multiple servers over which the sender has no control, 
and as each of those server owners is unknown to the sender, along with 
the intent of the owners of those devices the original information 
conveyed by the message may have been intercepted, added to, or 
otherwise altered before being retransmitted.  Readers should also be 
aware the message has been copied automatically by multiple servers 
between this originating PC and it's intended end destination PC, and no 
human alive knows how many copies now exist, how many will be made and 
stored as backups, or for how long they may continue to surface at 
various hearings and trials.  Readers should be aware that all messages 
from this computer carry this warning and any message received without 
this warning may also have been forged or altered.

More information about the list mailing list