The worst abuse e-mail ever,

The port 25 blocking seemed like a real good idea.


I disagree. Port blocking does not change user behavior & it is user
behavior that is causing this problem.
Blocking just hides it. I used to believe in port blocking as the solution
to many user problems but now I have 3 and 4 page ACL's
on my border routers. This does not scale. Yes, I could push this out via
radius to the NAS but again this does not solve the problem.
I feel blocking just pushes us closer to ports loosing their uniqueness, as
we have seen with PTP filesharing.

The solution I am working toward is quickly identifying user infections. We
are almost there. I collect and record
all traffic from the users going to dark space and am almost finished with
the system that will identify who held that
IP at a specific time. It is all in SQL so that is easy. We already have a
system in place where users, after multiple virus problems,
must obtain protection software prior to being re-enabled. Ramping up the
amount of proof we have at hand will allow us to enforce
our existing AUP.

The key to changing a behavior is to create consequences to this behavior. I
have noticed we never have problems getting
a user to get virus/firewall software after they pay to have their box
disinfected. Hit the users first with e-mails, then phone contact,
ending with being shut off should create the consequences needed to change
their behavior.


I'll admit to not knowing too much about this project, but what you are describing sounds similar in part to the Network Admission Control that Cisco is pushing - an automated way of ensuring user machines are protected before being admitted on to the network.

Here is a link to their site on the subject:

- Jeff