Thread: Firewalls and reporting
View Single Post
  #7   Report Post  
DoN. Nichols
 
Posts: n/a
Default Firewalls and reporting
In article ,
Old Nick wrote:
On 2 May 2004 11:10:12 -0400, vaguely proposed a
theory
......and in reply I say!:
remove ns from my header address to reply via email

I believe you were talking about MyNe****chman specificly.

Not exactly. I did ask for alternatives. Are there any? When you do it
yourself, email by email, hit by hit, newsgroups post by ng post, it
is simply time-consuming and disheartening.

Yes -- but that is the only way that *works* to any extent. In
terms of e-mail spam, the most careful and detailed reporting will get
good responses from *some* ISPs, (those with a good record of coming
down hard on spammers).

My wife spends hours each day tracking down the source of spam,
and reporting it.

From a very few sites, she gets back reports that they have
killed the spammer's account. From a lot of others, there is only a
robo-response "We have received your report and are acting on it". No
more information ever heard. (And often the spammers just keep sending
form that source.

So -- for those, since we run our own mail server, those IPs get
added to our private blocklist, so *no* e-mail from there gets through.
We also check recently-arrived spam against a collection of blocklists,
and the more that it is on, the more likely the site is to be IP-blocked
here. Most people (including you) are dependent on their ISP's mail
server, so this is not an option to them.

We refuse hundreds of connection attempts per day. I hate to
think what the spam situation would be like without our blocklist, and
the time we put into maintaining it.

We *could* subscribe to one of the blocklists, which would take
out a small fraction of the spam, but it sometimes will take out things
which I *want* to get, too.

And most of the spam comes from (through) somebody's Windows box
who has been compromised by a virus and turned into yet another relay
station for spam. The spammers feed it a message, and a list of
addresses, pat it on its back, and move on to the next compromised
machine.

One solution is reporting the relevant information in
news.admin.net-abuse.email and news.admin.net-abuse.sightings, and some
of the big blocklists monitor that and will add well-researched reports
to their list. Some of my wife's reports have shown up in the evidence
files offered by some of the big blocklists.

And the "reward" for that is to be put on some spammer's
sh*t-list so they forge a big run of spam to appear to come from *our*
domain. And -- for a week, we are pretty much out of communications
with the world.

I have even tried tracing stuff back, and susualy end u0p at IANA (I
am no expert in this) who immediately have a huge statement saying
"It's not us!"

Almost any one will say that -- even (or especially) if it is
them. The abuse people at many ISPs are totally clueless, and you have
to explain the evidence to them step by step. And Heaven help you if
you get it wrong, as they will never forget that. It helps to know
which headers you can trust (e.g. those added by my own mail server,
which is particularly good at reporting what really happened. Most of
the rest of the headers are forged at the convenience of the spammer, to
create problems for someone, or to keep them away from themselves.

If MNWM and others like it are a waste of time, it looks pretty grim
from "my" side. I was hoping that there were orgs that had people far
more skilled than I am at tracing and understanding the web.

First off -- calling it "the web" displays some of the
ignorance. The web is only one of the many services using the Internet
(with a capital 'I'), not to be confused with *an* internet, which can
be local only, or interconnected to be a part of *the* Internet.

Calling the whole thing "the web" is going to get as much
respect as calling Science Fiction "Sci-Fi" at a Science Fiction
Con(vention). If you have to be short, call it "S.F." "Sci-Fi" is used
by media people who know nothing about what they are reporting on, and
it quickly becomes obvious.

Most of the abuse desks are manned by people who are given the
job as a punishment. And most are not given the resources to do the job
right.

My ISP had a very good abuse desk, and I have gotten entire
subnets shut down while they were cleaned because they were provably
attacking me with the CodeRed worm. (And not getting anywhere, because
there were no Windows boxen on my part of the net.) And I fear that my
ISP is not going to be that good in the future, They have just been
merged with a larger ISP whose abuse record is not nearly as good -- and
their top abuse man has just left.

So -- I remain having to make sure that my own defenses are
good. And I *know* how to do that with unix flavors. There is so much
hidden in Windows that I *know* that I am bound to miss a lot, so I just
don't let them anywhere near the outside net.

While I
am willing to put in a lot of effort, I was fully aware of my
ignorance of the finers points, or anything like them.

Interestingly, my ISP, with whom I had developed quite a good rapport,
have said "Go ahead and USE MNWM, and wee will get the reports
gladly". They recommend them.

I wouldn't bother
with them. As one of those on the "source ISP" end of things, we get notices
from them often and they are useless. They report that someone with foo
address tried to make a connection to baz address on this date. There isn't
enough information in the reports to determine what was happening and why,
so it gets ignored. Requests for more information from MyNe****chman were
also never answered.

hmmmm. That is a problem. From my side, when I tried to send the full,
unparsed firewall report, I was told it was "not in the right format
for auto investigation" and I was ignored. Both my ISP and their
backbone recommended that I use MNWM, or DSHIELD.

The worst ISPs are the ones with gazillions (highly technical
meaningless number) of DSL accounts, or dialups, or cable accounts, with
a Windows box plopped on almost all of the connections, with totally
clueless people "running" them (e.g. turning them on and off, and
calling for help (maybe) if they happen to notice something wrong.)

Since these have gazillions of abuse reports flooding in, and
(at best) one or two people to deal with them, anything which requires
thought gets ignored. The same with anything which requires work.

One of the major ones has been getting SMTP (mail) connections
refused by an increasingly large number of other systems, simply because
they never do anything about their infected users. Their response to
the increasing blocking? Get new IP blocks allocated, because they are
"running out". Of course, those blocks get blocked as well. I am set
up so that one can only get e-mail to me from their *known* mail
servers. (Spammers normally bypass the mail servers, so people can't
see what is happening and stop it.) One exceptions was a recent virus,
which actually relayed through the ISP's mail server, and as a result, I
continually get a few "neutered" virii per day or per week, evidence
that *some* IPSs filter virii passing through their mail servers.

The *proper* solution is to turn off the routing of the SMTP
port (port 25) to and from those systems en-mass, and only turn them on
for those who have demonstrated a need, and the competence to secure
their private mail servers against relaying. The normal user would
never even notice this, because the normal user uses POP to forward
e-mail to the ISP's server, and that takes care of sending things on.
The same for incoming e-mail.


MyNe****chman doesn't seem to have any standards for how the firewalls it
allows to report problems are configured. People just put them into ultra
paranoid/delusioinal mode and report away. In this situation, a single
mistyped address results in a flurry of reports back to the source ISP. I
doubt any ISP takes these guys seriously.

I wouldn't waste my money on them.

I haven't. They are free. G. I admit they ask for donations.

OK. What they do provide is a feeling that _somebody_ is doing
something. I can assure you that it's easy to NOT feel that, as a Net
user.

Apply pressure to your ISP to act strongly and quickly against
infected systems hosted on their own net. Hope that everybody else does
the same. And protect yourself, since, even with the best will, they
can't do it perfectly. There is alway a lag between the time a system
gets infected and starting sending out junk of whatever sort and when
the reports get to the ISP, so they *can* (if they will bother) shut it
down.

Your reply to Bruce, laying out actions you are taking, is
interesting. Perhaps more of that needs to be said publicly? But then
of course if there is not an instant improvement, people will say
"Yeah Yeah".

This is the sort of thing discussed in
news.admin.net-abuse.email, to which I pointed you before. (Yes, there
is other stuff going on there, as it is a target because of its
anti-spam stance.) But it is where things are discussed. The really
serious ones get onto private mailing lists to continue discussions
without (hopefully) giving away what is being done to the spammers and
the virus-writers.

But at the moment the feeling that ISPs need a kick in the butt is
easy to build, justified or not, because there is a feeling of no
reaction at all, either to private attempts, or to reporting sites
like MNWM.

Your job -- drain the swamp by yourself. Oh yes, note that the
swamp is about 25% alligators (or crocodiles for your area). How much
progress do you think you would make.

If everyone were willing to pay more for an ISP who maintains a
properly-staffed abuse desk, and who will stand behind such an abuse
person, when said abuse person terminates a lucrative account, then
*maybe* things would get better. As long as everyone is after the
cheapest net service that they can get, they get what they asked for.

As a user, who wants to protect themselves, I have _absolutely_ no
idea, if I get a hit (and I have my firewall set to medium in most
cases) what damage it does, and do not have the time or the interest
to understand it all. I do have to admit that I have only had
firewalls for maybe a month, and before that I had noticed constant
activity, in littel bits, on my Net activity monitor. Nothing much
ever happened. I wouold run a malware checker over the machine every
day, and pick up a few funnies and kill them. But of course I had no
idea what they had deon in the meantime. One of them did bite, and it
was a right royal PITA.

If the info you get is useless or questionable, then maybe it's
because there is not enough communication between firewall makers,
MMWM and you guys?

A lot of the information isn't available *from* even the best
firewall. It has to be dug out of the headers (in e-mail spam), and dut
out of the encrypted URLs in the spams. It is *work*. (There are
web-based tools to help with a lot of this -- which you will find
discussed on news.admin.net-abuse.email.

I say that because again, Users are going to be the
most numerous, capricious, lazy and hardest to teach. G?? I have no
idea HOW you filter a typo from a genuine problem, but I can assure
you that when I start getting 300 hits from one ISP each day, I KNOW
that's not typos.

But it *might* be something totally harmless, which is a
reaction to something which you are doing. As an example, I got a call
(about a year and a half ago) from a new firewall user who was asking
why I was *attacking* his system. After some discussion, it turned out
to be that he was seeing my web server asking to set cookies. It is an
old version of Apache. I never asked it to ask for cookies, and I can't
find a place to turn them off. My web server does nothing *with* the
cookies. It displays no problems if you turn off cookies. But he was
seeing the requests in his firewall software (Zonealarm, IIRC), and it
wasn't bothering to say what the connection attempts were, just
reporting them to him for him to allow or deny.

If it is an ICMP connection -- that is a "ping", used to see
whether a system is there or not. Some web servers use them to verify
that a connecting system is still there. It also *could* be someone
looking for systems to infect. You just don't know. You have to learn
what to look for. Or -- use an OS which is not the common (and easy)
target of every wannabe-cracker. If that monolithic market of
Microsoft's were broken up into lots of smaller markets, each with its
own OS, there would not be the giant target sitting out there, and a
successful exploit would only hit a small percentage of the machines,
and not have the impact that it does with Windows.

And the *latest* Windows worm doesn't even require someone to
receive e-mail -- just to be connected to the Internet with a system
lacking the necessary patches.

Once -- computers at home were quite rare, and everyone who had
one *knew* them deeply. They weren't appliances which you could just
plug in and turn on. The Commodore PET and the Apple-II change all of
that, and then IBM weighed in with the PC, which was the start of the
Microsoft monolith. Before that, Microsoft was one of the many writers
of BASIC interpreters for home computers, with something vaguely
resembling an OS wrapped into the BASIC. No separate editors, just the
ability to load programs and save programs from/to punched tape, then
audio cassette tapes, and later floppy discs.

Note that I have been mostly focusing on only one of the
multiple problems -- the spam e-mail -- because that is the one which I
*see*. I don't see the virii -- at the expense of refusing anything
large enough to be a virus, which also means most images. The usenet
viri are (mostly) filtered out before they get to me, somewhere
upstream, not by me. (The spams are still there, of course.)

The Met Bureau is LOVE!

You've gotten your bite on this one -- isn't it time to change?

Enjoy,
DoN.

--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---
Reply With QuoteReply With Quote