[Dshield] DShield's Public Goals
dshieldlists at versateam.com
Fri Jan 6 00:47:04 GMT 2006
Thanks for the thoughtful note.
I must say, though, that I still am in favor of ISPs doing more to
filter out bad stuff from or to their low-end customers. You may handle
your mail and other services more securely than your ISP, but most of
their other customers are completely clueless. Admitting that they are
adversely affected by security issues isn't necessarily going to change
that. There seems to be a booming sale in A/V products, but there must
be gobs of machines out there that are not protected, else why would
there still be so many viruses -- and even those who have admitted they
need help enough to buy additional software aren't really protected from
all the vectors.
For you, I'd say pay a few bucks more a month, get a static IP and run
your servers. I'd expect the restrictions on low-end customers would be
a matter of contract (get this level of service, pay this each month).
I'd also expect the minimal filtering we are talking about -- preventing
botnets among the low-end customers from having unlimited ability to
spam the rest of us, for example -- to be beneficial for the most people.
I'd agree with you, however, if the static IP, higher level of service,
option were not available, or priced out of reach. I'd also agree with
you if they restricted lots of services at the low end just so they
could get more customers paying a higher fee. But if the problem of
spamming botnets and other malicious actors can be mitigated by
restricting low-end home users to using their ISP's SMTP, or blocking
SMTP connections to my mail server from the residential dynamic IP
customers, I'll support it, until or unless someone points out a more
effective way to do it.
josh at theoubliette.net wrote:
>Not to put too fine a point on it, but what if I, as a security
>professional, know how to run a mail server more securely than my ISP
>(less spam, less viruses, RFC-compliant)? I would like to be able to do
>so and not be limited by the fact that they either don't have the time or
>knowledge or simply choose not to implement a quality solution with
>security first over simplicity.
>I simply don't trust my ISP when it comes to security, as it is not in
>their cost/pricing model and when they happen to do it, they typcially get
>something wrong that only gives the illusion of security. Worse yet, I
>might be forced to live with their rotten choice of products to implement
>security. I'm sure many of us will testify to being forced to use an
>inferior security product for some reason or another.
More information about the list