csanterre at MerchantsOverseas
Feb 3, 2004, 7:18 AM
Post #4 of 8
> -----Original Message-----
> From: Duncan Hill [mailto:satalk [at] nacnud]
> Sent: Tuesday, February 03, 2004 8:52 AM
> To: spamassassin-users [at] incubator
> Subject: Re: OT - myDoom why not fight back?
> On Tuesday 03 February 2004 13:45, Fred wrote:
> > This concept was done before (welchia?) but they made a bad
> choice. My
> > intent is not to infect them with a copy of said evil
> program but only to
> > close the infection and inform the user, no harm done.
> > I'm thinking this would be just as bad as creating a virus,
> but at least
> > someone was fighting for the people!
> The problem is, what if your 'benign' fix doesn't account for
> something it has
> never seen before, and (at a long stretch) formats the drive
> of the machine
> it is trying to fix? Which is worse, the fix or the problem?
> It's a nice idea, but really and truly, the fix should be
> made in other ways,
> including but not limited to:
> * ISPs disabling port 25 outbound from client IP pools unless
> the client can
> prove a reason to have that access. Everyone else either
> gets blocked, or
> use transparent proxying to force port 25 to the ISP mail server.
> * ISPs running AV engines on inbound and outbound queues.
> This has the effect
> of slowing mail down a bit, but it's worth it.
> * Companies setting their firewalls to not allow 25 outbound
> from anything but
> a registered mail server.
> * Companies running combination gateway + server + desktop AV engines
> None of those options are cheap, but they are doable. If you
> can, run the
> outbound SMTP checker before the 200 status code returned on the DATA
> segment. Deliveries will take a bit longer from the client
> point of view,
> but viruses can be rejected before they have a chance to be
> passed into the
The best idea I heard so far was ISPs quaruntining the infected machines.
All traffic is blocked, and any website gets diverted to a web page
explaining that the user is infected and how to fix the infection. This does
rewuire active scanning by the ISP.
On a side note, to stop some of the DDOS, is it possible for ISPs to static
route a domain to local 127.0.0.1?? SO for the first day of a scheduled
DDOS, an ISP would route all www.sco.com traffic to the users own system.
That would save a lot of traffic :)