[Dshield] DShield's Public Goals

M Cook dshieldlists at versateam.com
Fri Jan 6 00:47:04 GMT 2006

Thanks for the thoughtful note.

I must say, though, that I still am in favor of ISPs doing more to 
filter out bad stuff from or to their low-end customers. You may handle 
your mail and other services more securely than your ISP, but most of 
their other customers are completely clueless. Admitting that they are 
adversely affected by security issues isn't necessarily going to change 
that. There seems to be a booming sale in A/V products, but there must 
be gobs of machines out there that are not protected, else why would 
there still be so many viruses -- and even those who have admitted they 
need help enough to buy additional software aren't really protected from 
all the vectors.

For you, I'd say pay a few bucks more a month, get a static IP and run 
your servers. I'd expect the restrictions on low-end customers would be 
a matter of contract (get this level of service, pay this each month). 
I'd also expect the minimal filtering we are talking about -- preventing 
botnets among the low-end customers from having unlimited ability to 
spam the rest of us, for example -- to be beneficial for the most people.

I'd agree with you, however, if the static IP, higher level of service, 
option were not available, or priced out of reach. I'd also agree with 
you if they restricted lots of services at the low end just so they 
could get more customers paying a higher fee. But if the problem of 
spamming botnets and other malicious actors can be mitigated by 
restricting low-end home users to using their ISP's SMTP, or blocking 
SMTP connections to my mail server from the residential dynamic IP 
customers, I'll support it, until or unless someone points out a more 
effective way to do it.

josh at theoubliette.net wrote:

>Not to put too fine a point on it, but what if I, as a security
>professional, know how to run a mail server more securely than my ISP
>(less spam, less viruses, RFC-compliant)?  I would like to be able to do
>so and not be limited by the fact that they either don't have the time or
>knowledge or simply choose not to implement a quality solution with
>security first over simplicity.
>I simply don't trust my ISP when it comes to security, as it is not in
>their cost/pricing model and when they happen to do it, they typcially get
>something wrong that only gives the illusion of security.  Worse yet, I
>might be forced to live with their rotten choice of products to implement
>security.  I'm sure many of us will testify to being forced to use an
>inferior security product for some reason or another.

More information about the list mailing list