Thread: Firewalls and reporting
View Single Post
  #9   Report Post  
Old Nick
 
Posts: n/a
Default Firewalls and reporting
On 4 May 2004 00:15:41 -0400, (DoN. Nichols)
vaguely proposed a theory
.......and in reply I say!:
remove ns from my header address to reply via email

OK. Don, you have been great, even though the flavour of what you say
does not always suit G.

I will posts my view. I am doing that to many others as well. I can
see from what you write that you take a,lot more care than most to
protect your system.

There is one irony in all of this; I get hardly ANY spam on email. I
never have had much. My crusade started only because of the newsgroup
filthyposts, with virii attached. I also noticed the huge no of pings
when I put in a firewall, which I installed because I saw a lot of
"extrameous activity" on the modem activity monitor.

But virtually no spam, as such.

You (and your wife):

- are far more involved than I am in this, and for a longer time
- and are therefore way up the tree in knoweldge
- have a setup that is not just me using my PC to access the
W....Net (?)
- btw nobody has actually picked me up on that yet. I have had a
lot of nitpicking, _fomr people who have not beothered to provide as
much info_ I might add. But not that one.
- have a lot more incentive to work at this. You are running an
eservice of some sort, and all I have is my ****ty liver and
cruasder's heart. G

Yes -- but that is the only way that *works* to any extent. In
terms of e-mail spam, the most careful and detailed reporting will get
good responses from *some* ISPs, (those with a good record of coming
down hard on spammers).

I have had a good response from my ISP. But as I said, they actually
recommended MNWM to me. Not to fob me off, I believe; they still asked
me to report if I felt like it.

My wife spends hours each day tracking down the source of spam,
and reporting it.

Not so easy if that is not a major occupation/job, which it does seem
to be in be your situation.


From a very few sites, she gets back reports that they have
killed the spammer's account.

From a lot of others, there is only a
robo-response "We have received your report and are acting on it". No
more information ever heard. (And often the spammers just keep sending
form that source.

I have had _robo-reponses_ saying they have taken action, by shutting
down, and _still_ had more results. :-

Most people (including you) are dependent on their ISP's mail
server, so this is not an option to them.

Yes. Precisely.

We *could* subscribe to one of the blocklists, which would take
out a small fraction of the spam, but it sometimes will take out things
which I *want* to get, too.

Ironically, there are both users and ISP bashing SpamCop, because it's
"too aggressive". SpamCop have retorted that they are not more
aggressive than they have ever been. It's just that the crap is
deeper.

One solution is reporting the relevant information in
news.admin.net-abuse.email and news.admin.net-abuse.sightings, and some
of the big blocklists monitor that and will add well-researched reports
to their list. Some of my wife's reports have shown up in the evidence
files offered by some of the big blocklists.


I am having enough trouble dealing with the picky, snotty forums at a
couple of the reporting sites. When I saw the results at those abuse
forums, I ran away fast. Sorry.

The problems I am having seem to centre around the idea that they are
doing a good thing, so get on with it and stop asking questions. The
abuse places were just childish and rude, in the first whole page I
looked at. I knwo that in your opinion that is silly of me, but
perhaps the place itself needs monitoring and cleaning up....I know I
know. It would be a never ending taks, I suppose. But that's the nett
result. I ran away.

And the "reward" for that is to be put on some spammer's
sh*t-list so they forge a big run of spam to appear to come from *our*
domain. And -- for a week, we are pretty much out of communications
with the world.

Ok. Nuff sed.


I have even tried tracing stuff back, and susualy end u0p at IANA (I
am no expert in this) who immediately have a huge statement saying
"It's not us!"

Almost any one will say that -- even (or especially) if it is
them. The abuse people at many ISPs are totally clueless, and you have
to explain the evidence to them step by step.

I got the impression that IANA is not an ISP as such, but a sort of
recorder? See? I have no idea.

And Heaven help you if
you get it wrong, as they will never forget that.

This was the trouble I was getting trying to report stuff on a couple
of the forums provided by spam and malware stoppers.

If MNWM and others like it are a waste of time, it looks pretty grim
from "my" side. I was hoping that there were orgs that had people far
more skilled than I am at tracing and understanding the web.

First off -- calling it "the web" displays some of the
ignorance.

Which, if the problem is to be solved, has to be ignored.

The web is only one of the many services using the Internet
(with a capital 'I'), not to be confused with *an* internet, which can
be local only, or interconnected to be a part of *the* Internet.

Calling the whole thing "the web" is going to get as much
respect as calling Science Fiction "Sci-Fi" at a Science Fiction
Con(vention). If you have to be short, call it "S.F." "Sci-Fi" is used
by media people who know nothing about what they are reporting on, and
it quickly becomes obvious.


The problem has to be dealt with in both directions. Sorry, but if
somebody has a problem with my terminology, and will let that affect
their treatment not of me, but my complaint, then there is a problem.

This is what has been happening to me on some of the forums I visited.
Every question I asked, or suggestion I made, ended up in circles of
belittling correction and perfection which met the inevitable
fundamental end. I am not the most subservient and docile of people,
but in order to succeed "against" these people, I would have needed to
to be a complete worm, with many hours to spend learning what they
knew, their way, or get no answers.

Most of the abuse desks are manned by people who are given the
job as a punishment. And most are not given the resources to do the job
right.

My ISP had a very good abuse desk, and I have gotten entire
subnets shut down while they were cleaned because they were provably
attacking me with the CodeRed worm. (And not getting anywhere, because
there were no Windows boxen on my part of the net.) And I fear that my
ISP is not going to be that good in the future, They have just been
merged with a larger ISP whose abuse record is not nearly as good -- and
their top abuse man has just left.

So -- I remain having to make sure that my own defenses are
good. And I *know* how to do that with unix flavors. There is so much
hidden in Windows that I *know* that I am bound to miss a lot, so I just
don't let them anywhere near the outside net.

While I
am willing to put in a lot of effort, I was fully aware of my
ignorance of the finers points, or anything like them.

Interestingly, my ISP, with whom I had developed quite a good rapport,
have said "Go ahead and USE MNWM, and wee will get the reports
gladly". They recommend them.

I wouldn't bother
with them. As one of those on the "source ISP" end of things, we get notices
from them often and they are useless. They report that someone with foo
address tried to make a connection to baz address on this date. There isn't
enough information in the reports to determine what was happening and why,
so it gets ignored. Requests for more information from MyNe****chman were
also never answered.

hmmmm. That is a problem. From my side, when I tried to send the full,
unparsed firewall report, I was told it was "not in the right format
for auto investigation" and I was ignored. Both my ISP and their
backbone recommended that I use MNWM, or DSHIELD.

The worst ISPs are the ones with gazillions (highly technical
meaningless number) of DSL accounts, or dialups, or cable accounts, with
a Windows box plopped on almost all of the connections, with totally
clueless people "running" them (e.g. turning them on and off, and
calling for help (maybe) if they happen to notice something wrong.)

Since these have gazillions of abuse reports flooding in, and
(at best) one or two people to deal with them, anything which requires
thought gets ignored. The same with anything which requires work.

One of the major ones has been getting SMTP (mail) connections
refused by an increasingly large number of other systems, simply because
they never do anything about their infected users. Their response to
the increasing blocking? Get new IP blocks allocated, because they are
"running out". Of course, those blocks get blocked as well. I am set
up so that one can only get e-mail to me from their *known* mail
servers. (Spammers normally bypass the mail servers, so people can't
see what is happening and stop it.) One exceptions was a recent virus,
which actually relayed through the ISP's mail server, and as a result, I
continually get a few "neutered" virii per day or per week, evidence
that *some* IPSs filter virii passing through their mail servers.

The *proper* solution is to turn off the routing of the SMTP
port (port 25) to and from those systems en-mass, and only turn them on
for those who have demonstrated a need, and the competence to secure
their private mail servers against relaying. The normal user would
never even notice this, because the normal user uses POP to forward
e-mail to the ISP's server, and that takes care of sending things on.
The same for incoming e-mail.


MyNe****chman doesn't seem to have any standards for how the firewalls it
allows to report problems are configured. People just put them into ultra
paranoid/delusioinal mode and report away. In this situation, a single
mistyped address results in a flurry of reports back to the source ISP. I
doubt any ISP takes these guys seriously.

I wouldn't waste my money on them.

I haven't. They are free. G. I admit they ask for donations.

OK. What they do provide is a feeling that _somebody_ is doing
something. I can assure you that it's easy to NOT feel that, as a Net
user.

Apply pressure to your ISP to act strongly and quickly against
infected systems hosted on their own net. Hope that everybody else does
the same. And protect yourself, since, even with the best will, they
can't do it perfectly. There is alway a lag between the time a system
gets infected and starting sending out junk of whatever sort and when
the reports get to the ISP, so they *can* (if they will bother) shut it
down.

Your reply to Bruce, laying out actions you are taking, is
interesting. Perhaps more of that needs to be said publicly? But then
of course if there is not an instant improvement, people will say
"Yeah Yeah".

This is the sort of thing discussed in
news.admin.net-abuse.email, to which I pointed you before. (Yes, there
is other stuff going on there, as it is a target because of its
anti-spam stance.) But it is where things are discussed. The really
serious ones get onto private mailing lists to continue discussions
without (hopefully) giving away what is being done to the spammers and
the virus-writers.

But at the moment the feeling that ISPs need a kick in the butt is
easy to build, justified or not, because there is a feeling of no
reaction at all, either to private attempts, or to reporting sites
like MNWM.

Your job -- drain the swamp by yourself. Oh yes, note that the
swamp is about 25% alligators (or crocodiles for your area). How much
progress do you think you would make.

If everyone were willing to pay more for an ISP who maintains a
properly-staffed abuse desk, and who will stand behind such an abuse
person, when said abuse person terminates a lucrative account, then
*maybe* things would get better. As long as everyone is after the
cheapest net service that they can get, they get what they asked for.

As a user, who wants to protect themselves, I have _absolutely_ no
idea, if I get a hit (and I have my firewall set to medium in most
cases) what damage it does, and do not have the time or the interest
to understand it all. I do have to admit that I have only had
firewalls for maybe a month, and before that I had noticed constant
activity, in littel bits, on my Net activity monitor. Nothing much
ever happened. I wouold run a malware checker over the machine every
day, and pick up a few funnies and kill them. But of course I had no
idea what they had deon in the meantime. One of them did bite, and it
was a right royal PITA.

If the info you get is useless or questionable, then maybe it's
because there is not enough communication between firewall makers,
MMWM and you guys?

A lot of the information isn't available *from* even the best
firewall. It has to be dug out of the headers (in e-mail spam), and dut
out of the encrypted URLs in the spams. It is *work*. (There are
web-based tools to help with a lot of this -- which you will find
discussed on news.admin.net-abuse.email.

But then why are the ISPs not using these? Or why is MNWM (good
reponses from them) not using them, or SpamCop (arrogant and
nitpicking)? My point is that if you get 1000 users all trying to get
it right, they won;t, and they will use 2000 times as much time one
knowledgeable person would.

But it *might* be something totally harmless, which is a
reaction to something which you are doing.

Well, what I am getting is hundreds of pings, apparently from about 30
different dial-up addresses, all from the same ISP. It seemed a bit
strange.

And the *latest* Windows worm doesn't even require someone to
receive e-mail -- just to be connected to the Internet with a system
lacking the necessary patches.

Which is why people set up firewalls in paranoid mode....

Note that I have been mostly focusing on only one of the
multiple problems -- the spam e-mail -- because that is the one which I
*see*. I don't see the virii -- at the expense of refusing anything
large enough to be a virus, which also means most images. The usenet
viri are (mostly) filtered out before they get to me, somewhere
upstream, not by me. (The spams are still there, of course.)

Well I just had a response from Ad-Aware (more self-righteousness and
fundamental circling), after about 15 emails, saying that since the
attachment that I had submitted was a virus, they were not interested.
Buy a virus checker. Just like that. Duck-shove.

I have pointed out that
- since the attachment, when operational, kept phoning out of my
system, it was behaving suspiciously like malware as well
- maybe they needed to get real and start looking at the broader
field.
I do not even expect a reply. IMO, Ad-Aware picks up a lot of stuff
that is not at all important and may be ignoring real problems, for
all that it's the #1 with many people.


The Met Bureau is LOVE!

You've gotten your bite on this one -- isn't it time to change?

Fooh. Somebody is really _reading_ this stuff! G Well, there was
another one....Met Bureau: Love. weather: game set and match!
************************************************** *****
Sometimes in a workplace you find snot on the wall of
the toilet cubicles. You feel "What sort of twisted
child would do this?"....the internet seems full of
them. It's very sad
Reply With QuoteReply With Quote