[Dshield] 0wnlng Windows machines
tonni at hetnet.nl
Sat Feb 24 10:10:16 GMT 2007
I'm the mailadmin of a low-volume high school site in Amsterdam NL, we
run a Postfix 2.3 MTA with lots of knobs to twiddle.
One of the things I do is twiddle the knobs; as I've written before, we
block a lot of stuff before we accept it. We don't block it at the
perimeter, we let the MTA block it, mostly using cidr subnet blocks, but
also using rules detailed in rfc821 and greylisting, as well as as a
last resort 4 DNSRBL sites. Postfix also makes it possible to see each
refused connection, together with the smtp conversation that takes place
and why we refuse clients. I make full use of that possibility.
We also run a utility called p0f with which I analyze the operating
system of each client connecting to port 25 on our MTA. For instance, it
tells me that iceman12-int.giac.net is running Linux 2.4-2.6 and was up
for 3413 hours on Feb 24 at 01:47:28 CET.
I produce pretty bar graphs with it, and these will be available for a
couple of days at https://mail.barlaeus.nl/p0f. Normally they're
excluded from unrestricted Internet access.
One of the things I've found out over the past few months, is that
around 98% of all the clients we block are Windows machines; which
variants you can see from the graphs. It's patently obvious that most
0wn3d machines are w2k with patch 4/XP with patch 1 and very few are
W2003. Now assuming the w2k and XP users have been savvy enough to patch
their W2k/XP machines, can anyone tell me the most obvious reasons that
they're getting 0wn3d? Presumably the users intelligent enough to patch
are also savvy enough not to click on things they're told not to, to
enable stupid p2p, to visit nasty web sites and so on. Or are they? And
why are there (proportionally) so few w2003 machines refused?
One of the reasons I ask, apart from curiosity, is noting how new
spammer software patterns develop, how much spammer keeps to the same
old stupid configuration and similar.
PS: All of our site's 100 or so Windows XP workstations (which I don't
configure, thank goodness) get their Internet stuff over a Smoothwall
blocking proxy, all are forced to SASL authenticate to our MTA alone for
sending, their mail (when it comes in) has gone through 3 AV scanners
and a hyper-good spam filter, and they run Sophos SAV regularly on their
ghost-imaged HDs. Their profiles and other Windows stuff is kept on a
Linux Samba 2.0.22 NT PDC (which I do configure) on which Sophos Sweep
runs regularly, so they're kept from sinning; if they were to,
reformatting and imaging their local HDs is relatively easy to do, with
loss of no personal data.
Email: tonni at hetnet dot nl
More information about the list