Bot Infestations Reach Nearly 1.2M 194
mengel writes "According to the folks at SecurityFocus the number of bot-infested systems has surged to nearly 1.2 million. This after a
big drop in December when lots of people replaced/upgraded
systems. Time to upgrade your spam filtering software, the onslaught is coming."
Re:An easy fix (Score:3, Informative)
Also, close the damn mail ports off. If a customer wants to host their own email server at home, fine...but make them call in and request that the port be opened. And make it clear that if their machine gets owned, they get cut off and fined before access will be reconnected.
Currently, most ISPs are not monitoring what you send out on port 25. They have no technical means to do so, and acquiring that ability would be prohibitively expensive. ISPs can monitor what you send out through their SMTP relay server (most don't analyze the patterns proactively, but they can review the logs when they get a complaint) but generally botnets don't relay through the ISP's server.
But you're absolutely right about ISPs blocking outgoing access on port 25, unless a customer requests it to be open. The difficulty here is that most customers have dynamic IP addresses, and dynamically updating a firewall to allow access to port 25 from some customers and not others is non-trivial. My recommendation would be, block access to port 25 for all customers on dynamic IPs, and by default for all static IPs, but let customers with static IPs request for access to be allowed. Users running their own Linux boxes can configure their MTA to forward everything to the ISP's relay server. Everyone who needs to relay through a corporate mail server can use port 587.
So what's the problem with port 587? Not everyone has their mail server configured to allow it. But if ISPs start blocking port 25 and telling their customers to switch to 587 instead, I think more mail servers (that have users who need to relay from home) will start enabling port 587.
So how does switching to port 587 help? Won't the spammers just switch to that too? At first, yes, but here's the difference: MTAs can be configured not to allow any connections to port 587 without authentication and encryption. A bot can't just pick your domain name out of a hat, look up your MX, connect to port 587, and start sending crap, if the MTA is configured to require authentication. Port 25 can't require authentication, but if bots can't connect to port 25 because it's firewalled on their end, then we're making some progress.
This is not a change that should be made overnight; it will cause problems for a small handful of users. ISPs need to plan for this, set a date several months in advance, notify their customers of the plan and what they can do if they will be affected, and ideally coordinate with other ISPs so a whole bunch of ISPs all start blocking port 25 at the same time.
It'll never work, of course.
Re:How's Vista doing on this? (Score:2, Informative)
BAAAAAAAAAAAAAAAAAAAAAAAAAAAHAHAHAHAHAHAHAAAAAAAA
Seriously, though, China remains a huge source of spam. Some may be zombies, I'm sure, but commercial spammers in China, operating on IPs with no forward or reverse DNS are very common. They've cracked down on bullet-proof hosting like they've cracked down on pirate DVDs: not really at all, just a little window dressing.
Re:OK: (Score:2, Informative)
http://lwn.net/Articles/222153/ [lwn.net]
http://blogs.securiteam.com/index.php/archives/81
http://www.networkworld.com/community/?q=www.deb.