Abuse procedures... Reality Checks

Pete Templin wrote:

John R Levine wrote:

I don't have PI space, but I do have a competent ISP so I've never had any
mail problems due to adjacent addresses.

Having a competent ISP isn't a guarantee of exemption...only a contributor. As evidenced by the discussion, some people choose the scope of their wrath arbitrarily.


Frank Bulk wrote:

> Sounds a lot like throwing something against the wall and
> seeing what sticks. Or vigilantism.

Vigilatism would be me causing offender's router to flap out of existence.

Matthew Black wrote:

> Um, with that reasoning, why not just block the whole /0 and
> be done with it?

Why should filtering on this level have to be done. Why not prevent one's
own users from sending out bad traffic. I can see why large provider
would have an issue with this, but how about using IDS' on the way out
as well. This way not one machine on your network can harm another
machine on your own for starters, and someone elses. Sound too Zen.

> Why not get yourself some sort of IDS/IPS
> system or fully firewall your hosts.

What happens when this isn't an option. What do you do when managing
networks on budgets that didn't call for extra equipment. Should I let
a network of mine get compromised for the sake of not having enough in
the budget, or should I explain to the client after the compromise,
"well you really didn't give me enough money." That will sure teach
him a thing or two about technology they 1) don't care about 2) won't
understand no matter how much its explained. Maybe I can repeat this
to myself while I file unemployment papers.

> If you have a spam problem, get an e-mail security
> appliance which uses reputation filtering to reject
> connections?

And for those clients whose budgets constraints prevented this? Should
I a) allow them to receive thousands of Viagra messages b) allow their
logfiles to fill with thousands of entries and false positives on SSH
attacks c) allow viruses and worms to make my job more difficult.

I never stated my solution was a "best practice". I stated what I've
been doing and strangely its been effective for me. Yes I do have to
answer to clients on why THEIR clients, friends, etc have their
providers blocked, and after it is explained to them along with
logfiles to support my blocks, my clients are right behind me in
blocking ranges. To me it isn't the automated blocking isn't that
hard to do, that's what shell scripting is for and I have no problems
blocking huge blocks (/8's) if need be.

As I stated, if I can take the time to make sure nothing malicious is
leaving my networks - which altogether is now comprised of about a /16
if I added all ranges up - then why can't some of these other networks
do the same. Especially the ones who can actually afford to go out and
drop a couple of thousand, even hundreds of thousands on so called
security products. If I can do it via ACL's, Linux boxes, syslog, etc.,
without incurring more costs to my clients, surely some of you bigger
cats can do the same. I look at is a bad policy, laziness, and lack of
a clue or two. And I sincerely mean this in the utmost non-disrespectful
logical - call it how I see it manner. No reason to have filth leaving
your network. If it does its because of bureaucratic BS (policies),
lack of how to administrate a network correctly or laziness.

Maybe my next step will be to post some of the emails from admins who
were contacted and responded with the same old "Oh our abuse desk is
right now it." Or some other generic crap, all the while my net is
getting hit up. Or to re-state the strangeness coming from a response
from a CISSP in NASA: "We were doing test on our network which is
why your machine was getting bruteforced..." Oh really? On a side
note, kudos to those who do take the time to respond, and to those
who actually take a minute or two to digest it all in after I've
rambled on for too long...

Next thread anyone :wink: