Blocking just hides it. I used to believe in port blocking as the solution
to many user problems but now I have 3 and 4 page ACL's
on my border routers. This does not scale. Yes, I could push this out via
radius to the NAS but again this does not solve the problem.
The solution I am working toward is quickly identifying user infections.
We are almost there. I collect and record
all traffic from the users going to dark space and am almost finished with
the system that will identify who held that
IP at a specific time. It is all in SQL so that is easy.
Our system is similar, except we block port 25 completely via RADIUS after
we detect an outgoing virus or spam, then notify the customer. This
eliminates the ACL's on the border routers. The user can still surf freely
to download patches while not causing further damage. Some users just don't
want to be bothered and just use webmail to send E-mail and keep the block
forever.
hackerwacker@cybermesa.com:
The solution I am working toward is quickly identifying user
infections. We are almost there. I collect and record all traffic
Umm ... you mean you wire-tap all "my" email messages? (Anyone
still wonders why I don't trust my ISP?)
I wonder if my Teclo listens in on all my telephone conversations
too? And the post office! My letters?
(Oops, sorry, shouldn't make analogies. 
from the users going to dark space
Umm ... please define "dark space".
and am almost finished with the system that will identify who held
that IP at a specific time. It is all in SQL so that is easy.
Mmm. User privacy in its glory?
niceman@att.net:
Our system is similar, except we block port 25 completely via RADIUS
after we detect an outgoing virus or spam,
Detect how?
then notify the customer. This eliminates the ACL's on the border
routers. The user can still surf freely to download patches while
not causing further damage. Some users just don't want to be
bothered and just use webmail to send E-mail and keep the block
forever.
This latter part is OK. It opens up a way out for those who want to,
and a different service for those who don't.
Cheers,
/Liman
> Our system is similar, except we block port 25 completely via RADIUS
> after we detect an outgoing virus or spam,
Detect how?
We don't sniff traffic for suspicious signatures at this point. Viruses
are eventually caught by the assumption that "send to everyone in the
address book" eventually will hit an address on the same mail server.
Quarantined viruses are categorized by local user and IP address to identify
the sender from RADIUS accounting records.
Spam is based only on reports - those Spamcop reports are acted on by
some people!
hackerwacker@cybermesa.com:
>> The solution I am working toward is quickly identifying user
>> infections. We are almost there. I collect and record all traffic
Umm ... you mean you wire-tap all "my" email messages? (Anyone
still wonders why I don't trust my ISP?)
I wonder if my Teclo listens in on all my telephone conversations
too? And the post office! My letters?
Chill out. I am just collecting source and destination IP pairs, that is all
I record.
(Oops, sorry, shouldn't make analogies.
>> from the users going to dark space
Umm ... please define "dark space".
See either the posts Paul Vixie or Rob Thomas on this.
james